deployProxyAndDistributeBySignature() is susceptible to frontrunning, where an attacker can exploit the transaction by replication the transaction with a higher gas fee.
Vulnerability Details
ProxtFactory.sol is responsible for both creating proxies and invoking them to deliver rewards to the winners. deployProxyAndDistributeBySignature() permits a user to deploy a proxy and sends rewards to the winners on the organizer's behalf, granted they possess the necessary signature. However, if an attacker monitors the mempool and identifies the transaction, they can replicate it with a higher gas fee and alterating the data field for positioning themselves as the sole recipient of rewards causing that their transaction be verfied first stealing the funds.
function deployProxyAndDistributeBySignature(
address organizer,
bytes32 contestId,
address implementation,
bytes calldata signature,
bytes calldata data
) public returns (address) {
bytes32 digest = _hashTypedDataV4(keccak256(abi.encode(contestId, data)));
if (ECDSA.recover(digest, signature) != organizer) revert ProxyFactory__InvalidSignature();
bytes32 salt = _calculateSalt(organizer, contestId, implementation);
if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();
if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();
address proxy = _deployProxy(organizer, contestId, implementation);
_distribute(proxy, data);
return proxy;
}
Impact
The rewards of the winners could be stolen.
Tools Used
Manual review.
Recommendations
A solution to this issue could involve the implementation of a mapping that grants explicit approval to certain users for utilizing the organizer's signature.
PatrickAlphaC
commented
12 months ago
deployProxyAndDistributeBySignature() can be frontruned
Severity
High Risk
Relevant GitHub Links
https://github.com/Cyfrin/2023-08-sparkn/blob/main/src/ProxyFactory.sol#L152L167
Summary
deployProxyAndDistributeBySignature()is susceptible to frontrunning, where an attacker can exploit the transaction by replication the transaction with a higher gas fee.Vulnerability Details
ProxtFactory.solis responsible for both creating proxies and invoking them to deliver rewards to the winners.deployProxyAndDistributeBySignature()permits a user to deploy a proxy and sends rewards to the winners on the organizer's behalf, granted they possess the necessary signature. However, if an attacker monitors the mempool and identifies the transaction, they can replicate it with a higher gas fee and alterating thedatafield for positioning themselves as the sole recipient of rewards causing that their transaction be verfied first stealing the funds.Impact
The rewards of the winners could be stolen.
Tools Used
Manual review.
Recommendations
A solution to this issue could involve the implementation of a mapping that grants explicit approval to certain users for utilizing the organizer's signature.