As part of the migration of a vault, the commit function is called to kickoff the buyout process for the migration.
Its possible that any EOA address can initiate a start function on the Buyout module with a very low amount of msg.value and prevent the above
migration-commit to revert, by front-running it.
Impact
Impact the migration process. Denial of service attack can be done repeatedly, so that migration is postponed indefinitely.
Proof of Concept
Contract : Migration.sol, function commit()
Contract : Buyout.sol, function start()
Recommended Mitigation Steps
Alternate design with either permissioned call to start function or queueing the requests for the start function call.
Lines of code
https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/modules/Migration.sol#L210 https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/modules/Buyout.sol#L57
Vulnerability details
As part of the migration of a vault, the commit function is called to kickoff the buyout process for the migration. Its possible that any EOA address can initiate a start function on the Buyout module with a very low amount of msg.value and prevent the above migration-commit to revert, by front-running it.
Impact
Impact the migration process. Denial of service attack can be done repeatedly, so that migration is postponed indefinitely.
Proof of Concept
Contract : Migration.sol, function commit() Contract : Buyout.sol, function start()
Recommended Mitigation Steps
Alternate design with either permissioned call to start function or queueing the requests for the start function call.