search

code-423n4 / 2023-07-tapioca-findings

12 stars 9 forks source link

[M-03] Multiple calls are executed in the same transaction #520

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/023751a4e987cf7c203ab25d3abba58f7344f213/contracts/Multicall/Multicall3.sol#L51 https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/023751a4e987cf7c203ab25d3abba58f7344f213/contracts/Multicall/Multicall3.sol#L79

Vulnerability details

Impact

Detailed description of the impact of this finding. Multiple calls are executed in the same transaction. DoS with Failed Call.

This call is executed following another call within the same transaction. It is possible that the call never gets executed if a prior call fails permanently. This might be caused intentionally by a malicious callee.

Proof of Concept

Provide direct links to all referenced code in GitHub. 

// https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/023751a4e987cf7c203ab25d3abba58f7344f213/contracts/Multicall/Multicall3.sol#L51
            (result.success, result.returnData) = calli.target.call(
// https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/023751a4e987cf7c203ab25d3abba58f7344f213/contracts/Multicall/Multicall3.sol#L79
            (result.success, result.returnData) = calli.target.call{value: val}(

Add screenshots, logs, or any other relevant proof that illustrates the concept.

POC

// SPDX-License-Identifier: UNLICENSED
pragma solidity >=0.6.0<0.9.0;

import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/Multicall/Multicall3.sol";
import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/IAggregatorV3Interface.sol";
import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/IBidder.sol";
import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/IBigBang.sol";
import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/ICommonData.sol";
import "./Multicall3.sol";
import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/IMarket.sol";
import {IUSDOBase} from "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/IUSDO.sol";

contract AttackMulticall3 is Multicall3 {

    Multicall3 public multicall3; 

    function attack(Multicall3 _multicall3) external payable {
        multicall3 = Multicall3(_multicall3);
        multicall3.multicall{value: msg.value}(bytes("0xh3xh3xh3xh3xh3xh3xh3xh3xh3xh3x"));
    }

    function getBalance() public payable {
        address(this).balance;
    }
}

Dos Test Case

NB: Using Remix DEV Foundry. Activate anvil in cmd or bash first.
1. switch to first account (as alice) and deploy the victim contract.
2. switch to second account (as eve) and deploy the attack contract. 
3. switch to first account (as alice) and select 1 ETH and enter bytes value as 0x1 click multicall() button.
4. switch to second account (as eve) and select 2 ETH and paste victim contract address for alice in input box next to button for attack() and then click attack() button.
5. in account 2 for eve, click getbalance button and balance is 2 ETH.

Logs

Victim Address

0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266

Attacker Address

0x70997970C51812dc3A010C7d01b50e0d17dc79C8

Attacker Balance After Attack button is clicked

Balance: 2 ETH

Tools Used

Mythx VS Code Foundry Remix

Recommended Mitigation Steps

If possible, refactor the code such that each transaction only executes one external call or make sure that all callees can be trusted (i.e. they're part of your own codebase).

Assessed type

DoS

c4-pre-sort commented 1 year ago

minhquanym marked the issue as low quality report

minhquanym commented 1 year ago

Invalid

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Invalid