Open code423n4 opened 2 years ago
Isn't that the case with every free trial system? If they use the same address the lock manager could easily use the hook system to keep track of who already had received a full refund and not grant it on the 2nd cancellation. The user could still use new addresses all the time, and in that case that would be valid, but that is actually the case with a lot of systems like that :) One of my roommates in colleges was just subscribing to newspaper and getting the full risk-free refund by using a different name every time (but used the same address)
While I agree with the warden, there is potential for unlimited free trials. Limiting a free trial to a single address does not resolve the issue as an attacker can generate any number of addresses from a single seed. However, I do understand this is a tricky issue to workaround.
So I'm not sure how this should be treated as it does affect how the protocol is intended to operate. Is there any reason for users to not abuse this @julien51 ? Typically with newspapers, you have to provide credit card details, so an individual is really limited by the number of cards they hold.
As you noted, there is no way to prevent free trials from being abused which is why by default, locks do not have a free trial: they have to be manually explicitly configured. From there, since it's trivial to just create an infinite number of accounts, anyone could just claim free trials over and over from new accounts.
As per sponsor, trials are not enabled by default. But seeing as this impacts protocol availability through abuse if enabled. I'll mark this as medium
.
Handle
WatchPug
Vulnerability details
The current design/implementation allows users who are refunded before to get another freeTrial. This can be exploited by malicious users to get an infinite free trial.
PoC
Given:
keyPrice
is 1 ETH;freeTrialLength
is 31 days.A malicious user can:
purchase()
, pay 1 ETH and get 31 days offreeTrial
on day 1;cancelAndRefund()
on day 30 and get 1 ETH of refund; then callpurchase()
again, pay 1 ETH and get 31 days offreeTrial
again.Repeat the steps above and the user can get infinite freeTrial.
Impact
A malicious third party may provide a service named
freeUnlock
, which will callcancelAndRefund()
andpurchase()
automatically right before the end of the freeTrial. This can cause fund loss to all the owners that provide a freeTrial.Recommendation
Consider adding a
mapping(address => uint256) freeTrialEnds
and make sure each address can only get 1 freeTrial.