search

code-423n4 / 2023-06-llama-findings

2 stars 1 forks source link

Attacker can revert execution by frontrunning "createAction" #141

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-llama/blob/9d641b32e3f4092cc81dbac7b1c451c695e78983/src/LlamaPolicy.sol#L404-L409

Vulnerability details

Impact

Malicious user can frontrun "createAction" to make action execution revert due to the "_assertNoActionCreationsAtCurrentTimestamp" check

Proof of Concept

function _assertNoActionCreationsAtCurrentTimestamp() internal view {
    if (llamaExecutor == address(0)) return; // Skip check during initialization.
    address llamaCore = LlamaExecutor(llamaExecutor).LLAMA_CORE();
    uint256 lastActionCreation = LlamaCore(llamaCore).getLastActionTimestamp();
    if (lastActionCreation == block.timestamp) revert ActionCreationAtSameTimestamp();
}

If "executeAction" is called to execute an action targeting "setRoleHolder" or "revokePolicy", which will do the "_assertNoActionCreationsAtCurrentTimestamp" check. A malicious user with permission to create actions could frontrun the "createAction" function to make the execution revert because the lastActionCreation would then be equal to block.timestamp.

Tools Used

Manual Review

Recommended Mitigation Steps

Delete "_assertNoActionCreationsAtCurrentTimestamp"

Assessed type

DoS

0xSorryNotSorry commented 1 year ago

Same submission of https://github.com/code-423n4/2023-06-llama-findings/issues/142

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

c4-judge commented 1 year ago

gzeon-c4 marked the issue as nullified