Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reducing randomness can force open season #32

Closed
Tracked by #88
code423n4 opened this issue Oct 19, 2022 · 3 comments
Closed
Tracked by #88

Reducing randomness can force open season #32

code423n4 opened this issue Oct 19, 2022 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists responded The Holograph team has reviewed and responded sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/holographxyz/holograph-protocol/blob/c4_audit/contracts/HolographOperator.sol#L849

Vulnerability details

Impact

User can call bondUtilityToken function with large pod value which ensure pushing [address(0)] from _operatorPods.length till pod.

This becomes a problem _operatorPods.length increases dramatically causing randomess to reduce significantely in crossChainMessage. Reason being random % _operatorPods.length will mostly result in unused pod with address(0) as only operator, causing open season where anyone can execute the job

Proof of Concept

  1. User A calls the bondUtilityToken function with pod say 100
  function bondUtilityToken(
    address operator,
    uint256 amount,
    uint256 pod
  ) external {
...
for (uint256 i = _operatorPods.length; i <= pod; i++) {
          /**
           * @dev add zero address into pod to mitigate empty pod issues
           */
          _operatorPods.push([address(0)]);
        }
...
}

  1. Lets say _operatorPods initially had 2 elements so after calling this function and pod as 100 this will push address(0) 98 times making the _operatorPods length as 100

  2. This becomes a problem while calling crossChainMessage function

function crossChainMessage(bytes calldata bridgeInRequestPayload) external payable {
...
uint256 pod = random % _operatorPods.length;
uint256 podSize = _operatorPods[pod].length;
 uint256 operatorIndex = random % podSize;
...
}

  1. Assume random is selected as 10, which makes pod as 10 and _operatorPods[pod].length is 1 (while initializing one dummy operator with address 0 is added). This makes operatorIndex as 0 (random%1=0)

  2. Now 0 operatorIndex means open season and anyone can execute the job

/**
       * @dev If operator index is 0, then it's open season! Anyone can execute this job. First come first serve
       *      pop operator to ensure that they cannot be selected for any other job until this one completes
       *      decrease pod size to accomodate popped operator
       */

Recommended Mitigation Steps

Do not allow user to specify a very large value for pods
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 19, 2022
code423n4 added a commit that referenced this issue Oct 19, 2022
@code423n4
csanuragjain issue #32
7b1a90e
@gzeoneth gzeoneth added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Oct 30, 2022
@gzeoneth gzeoneth mentioned this issue Oct 30, 2022
Open
@gzeoneth
Copy link
Member

As noted in #256, this seems to be bounded since the cost of joining higher pod increase exponentially

@alexanderattar
Copy link

Design decision. Operator that bonds massive amounts of tokens to a higher than next pod is purposefully punished by decreasing their probability of exclusive job rights. Forces a gradual bonding curve

@alexanderattar alexanderattar added the responded The Holograph team has reviewed and responded label Nov 8, 2022
@gzeoneth
Copy link
Member

#432 as primary

@gzeoneth gzeoneth added the duplicate This issue or pull request already exists label Nov 21, 2022
@ACC01ADE ACC01ADE mentioned this issue Nov 22, 2022
Merged
53 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists responded The Holograph team has reviewed and responded sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexanderattar @code423n4 @gzeoneth