search

code-423n4 / 2023-07-tapioca-findings

15 stars 10 forks source link

The `aoTap.sol#brokerClaim()` function can be frontrun by an attacker. #1478

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/option-airdrop/aoTAP.sol#L139

Vulnerability details

Impact

Attacker can frontrun the aoTap.sol#brokerClaim() function and subsequently call the mint() to mint all the tokens.

Proof of Concept

The aoTap.sol#brokerClaim() function can be frontrun because the anyone can call the function once. The require statement just check broker == address(0) which can be bypassed by anyone.

function brokerClaim() external {
        require(broker == address(0), "AOTAP: only once");
        broker = msg.sender; //@audit setting broker can be front run by bots and mint millions of tokens.
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Assign the owner(the deployer) variable to the broker state variable then implement the 2 step transfer ownership process for transferring important addresses as done in the openzepplin's Ownable2step contract.

Assessed type

Access Control

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #111

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #111

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Overinflated severity

c4-judge commented 1 year ago

dmvt marked the issue as not a duplicate