search

code-423n4 / 2023-05-juicebox-findings

1 stars 1 forks source link

Mutexes can be tampered with to increase gas costs #273

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-juicebox/blob/9d0458282511ff269b3b35b5b082b56d5cc08663/juice-buyback/contracts/JBXBuybackDelegate.sol#L144-L171

Vulnerability details

Impact

An attacker can set mintedAmount and reservedRate to 0 which incurs greater gas fees when calling payParams(). In the worst case this might cause the transaction to revert if the gas limit was tightly set to the expected gas cost.

Proof of Concept

mintedAmount and reservedRate are supposed to be set 1-x-1 in the call flow to JBXBuybackDelegate, 1-x in payParams() and x-1 in didPay(). However, payParams() is not access restricted so anyone can call this with _data.amount.value: 0 and _data.reservedRate: 0 which sets mintedAmount and reservedRate to 0, before the intended call flow. Then the user would have to pay for two 0-x-1 assignments. Setting 0-x costs 20000 gas, compared to 5000 gas for 1-x. Thus the user would have to pay 30000 gas extra after the attacker has tampered with the mutexes. If the user has set his gas limit to just above the expected gas cost of the 1-x-1 case, then his transaction will revert.

Recommended Mitigation Steps

Restrict access to payParams(), similarly to how didPay() is restricted.

Assessed type

DoS

c4-pre-sort commented 1 year ago

dmvt marked the issue as low quality report

dmvt commented 1 year ago

gas report

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Overinflated severity

d3e4 commented 1 year ago

gas report

This is not a gas optimisation. It is maliciously increasing the gas cost for a user such that his call might even revert due to out of gas.