Picodes
commented
1 year ago Technically correct, but there would be no impact aside from the owner wasting gas, so downgrading to Low
Closed code423n4 closed 1 year ago
Picodes
commented
1 year ago Technically correct, but there would be no impact aside from the owner wasting gas, so downgrading to Low
c4-judge
commented
1 year ago
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/PrePOMarketFactory.sol#L25 https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/PrePOMarketFactory.sol#L46-L47
Vulnerability details
Impact
The
createMarket()function requires the user to input two salts manually to use when deploying the long and short tokens using CREATE2.This can lead to colliding addresses and reverted transactions.
Proof of Concept
CREATE2 chooses the contract address based on the sender address, the salt and the deployed bytecode.
Since the factory is always the sender and the bytecode is always the same, any two tokens deployed with the same salt will lead to an address collision.
This requires the sender to track and manually ensure they don't submit with overlapping salts.
Tools Used
Manual Review
Recommended Mitigation Steps
Generate the salt based on unique attributes about the transaction, such as with a hash of the token name, timestamp, and expiry.