search

code-423n4 / 2023-03-wenwin-findings

1 stars 1 forks source link

`swapSource` in `RNSourceController` contract can be frontrunned and eventually lead to a DoS #486

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/main/src/RNSourceController.sol#L89-L104

Vulnerability details

Impact

A malicious randon source con frontrun calls to swapSource and prevent protocol owners from changing the random source by frontrunning the call with a transaction to onRandomNumberFulfilled which effectively resets the failedSequentialAttempts to zero, making the original call to swapSource revert.

This process can be repeated any number of times, eventually leading to a DoS and the impossibility of changing the random source.

Proof of Concept

  1. Source timeouts and doesn't return request response, retry is called until failedSequentialAttempts == maxFailedAttempts.
  2. Protocol owners call swapSource to change the random source of the contract
  3. Current random source frontruns the call with a call to onRandomNumberFulfilled which resets the failedSequentialAttempts back to 0.
  4. Original transaction from (2) gets reverted as failedSequentialAttempts is now less than maxFailedAttempts.

Recommendation

In case of maxFailedAttempts enter a more robust "pause" state that lets protocol owners deal better with the current situation.

c4-judge commented 1 year ago

thereksfour changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

thereksfour marked the issue as grade-a

rand0c0des commented 1 year ago

This is highly unlikely with ChainLink VRFv2. However, seems like a valid concern.

c4-sponsor commented 1 year ago

rand0c0des marked the issue as sponsor acknowledged