Malicious user can get infinite free trial by repeatedly refund and repurchase right before the freeTrial ends

[code423n4]

Handle

WatchPug

Vulnerability details

The current design/implementation allows users who are refunded before to get another freeTrial. This can be exploited by malicious users to get an infinite free trial.

PoC

Given:

• keyPrice is 1 ETH;
• freeTrialLength is 31 days.

A malicious user can:

1. Call purchase(), pay 1 ETH and get 31 days of freeTrial on day 1;
2. Call cancelAndRefund() on day 30 and get 1 ETH of refund; then call purchase() again, pay 1 ETH and get 31 days of freeTrial again.

Repeat the steps above and the user can get infinite freeTrial.

Impact

A malicious third party may provide a service named freeUnlock, which will call cancelAndRefund() and purchase() automatically right before the end of the freeTrial. This can cause fund loss to all the owners that provide a freeTrial.

Recommendation

Consider adding a mapping(address => uint256) freeTrialEnds and make sure each address can only get 1 freeTrial.

[julien51]

Isn't that the case with every free trial system? If they use the same address the lock manager could easily use the hook system to keep track of who already had received a full refund and not grant it on the 2nd cancellation. The user could still use new addresses all the time, and in that case that would be valid, but that is actually the case with a lot of systems like that :) One of my roommates in colleges was just subscribing to newspaper and getting the full risk-free refund by using a different name every time (but used the same address)

[0xleastwood]

While I agree with the warden, there is potential for unlimited free trials. Limiting a free trial to a single address does not resolve the issue as an attacker can generate any number of addresses from a single seed. However, I do understand this is a tricky issue to workaround.

[0xleastwood]

So I'm not sure how this should be treated as it does affect how the protocol is intended to operate. Is there any reason for users to not abuse this @julien51 ? Typically with newspapers, you have to provide credit card details, so an individual is really limited by the number of cards they hold.

[julien51]

As you noted, there is no way to prevent free trials from being abused which is why by default, locks do not have a free trial: they have to be manually explicitly configured. From there, since it's trivial to just create an infinite number of accounts, anyone could just claim free trials over and over from new accounts.

[0xleastwood]

As per sponsor, trials are not enabled by default. But seeing as this impacts protocol availability through abuse if enabled. I'll mark this as medium.