Re-orgs can happen in all EVM chains. The issue would happen when users rely on the address derivation in advance or try to deploy the position clone with the same address on different EVM chains, any funds sent to the new clone could potentially be withdrawn by anyone else. All in all, it could lead to the theft of user funds.
Vulnerability Details
Imagine that Alice deploys an escrow, and then sends funds to it. Bob sees that the network block reorg happens and calls newEscrow. Thus, it creates escrow with an address to which Alice sends funds. Then Alices’ transactions are executed and Alice transfers funds to Bob’s controlled escrow.
Impact
Alice will send funds to a malicious escrow contract in the case of a re-org.
Invalid. CREATE2 also uses deployer address -> Bob cannot deploy at same address as Alice even if he could exactly compute the address unless Bob has Alice's private keys
Re-org attack in factory
Severity
Medium Risk
Relevant GitHub Links
https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/EscrowFactory.sol#L28-L39
Summary
Re-orgs can happen in all EVM chains. The issue would happen when users rely on the address derivation in advance or try to deploy the position clone with the same address on different EVM chains, any funds sent to the new clone could potentially be withdrawn by anyone else. All in all, it could lead to the theft of user funds.
Vulnerability Details
Imagine that Alice deploys an escrow, and then sends funds to it. Bob sees that the network block reorg happens and calls newEscrow. Thus, it creates escrow with an address to which Alice sends funds. Then Alices’ transactions are executed and Alice transfers funds to Bob’s controlled escrow.
Impact
Alice will send funds to a malicious escrow contract in the case of a re-org.
Tools Used
Manual
Recommendations
The recommendation is basically the same as:
https://code4rena.com/reports/2023-01-rabbithole/#m-01-questfactory-is-suspicious-of-the-reorg-attack
Deploy the Escrow via
create2
with a specificsalt
that includesmsg.sender
andtokenContract