Open code423n4 opened 1 year ago
Picodes marked the issue as primary issue
The Vault address is derivative of the (sender address, nonce). I don't see how this scenario is possible?
asselstine marked the issue as sponsor disputed
@asselstine exactly, so here it only depends on the nonce of the factory, so in case of reorg someone could "override" a vault deployment and all following transactions would still be executed
Picodes marked the issue as satisfactory
Picodes marked the issue as selected for report
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/VaultFactory.sol#L67-L78
Vulnerability details
Impact
Vaults are created from the factory via CREATE1, an attacker can frontrun deployVault to deploy at the same address but with different config. If the deployed chain reorg, a different vault might also be deployed at the same address.
Proof of Concept
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/VaultFactory.sol#L67-L78
Recommended Mitigation Steps
Use CREATE2 and the vault config as salt.
Assessed type
MEV