search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

`VaultFactory` is suspicious of the reorg attack #238

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/VaultFactory.sol#L67

Vulnerability details

Impact

Exploits involving Stealing of funds.

Proof of Concept

The deployVault function deploys a new vault contract using the create, where the address derivation depends only on the arguments passed.

At the same time, some of the chains (Polygon, Optimism, Arbitrum) to which the VaultFactory will be deployed are suspicious of the reorg attack.

File: VaultFactory.sol

67:      Vault _vault = new Vault(

Link to Code

Even more, the reorg can be couple of minutes long. So, it is quite enough to create the position and transfer funds to that address, especially when someone uses a script, and not doing it by hand.

Optimistic rollups (Optimism/Arbitrum) are also suspect to reorgs since if someone finds a fraud the blocks will be reverted, even though the user receives a confirmation and already created a position.

If Alice creates a new vault, and then sends funds to it. Bob sees that the network block reorg happens and calls deployVault. Thus, it creates vault with an address to which Alice sends funds. Then Alices' transactions are executed and Alice transfers funds to Bob's controlled vault.

Tools Used

VS Code

Recommended Mitigation Steps

Deploy the Vault contract via create2 with salt.

Assessed type

Other

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #416

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory