Open code423n4 opened 1 year ago
For transparency, warden requested to have labels removed and MR-New
added.
Medium risk label added per warden request.
Labels updated per dev clarification of needs.
This is the same as #24. This is not a new issue, the original issue is just unmitigated.
asselstine marked the issue as sponsor confirmed
I believe we've mitigated this, as the claimer swallows the error and emits an event
No; actually scratch that
I think I agree with @djb15 's comments, the result of the new implementation was the same as the original.
Picodes marked the issue as unmitigated
Picodes marked the issue as satisfactory
Missing label added to correctly display.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/main/src/Vault.sol#L1318-L1357
Vulnerability details
Title
M-02 - Malicious users can set their hooks to contracts that will always revert, causing Claimers to get their tx to claim the user's prizes to be reverted
Original Issue
M-02 - Unintended or Malicious Use of Prize Winners' Hooks
Details
The previous implementation claimed the prizes for all the winners in one single transaction, each winner was allowed to set arbitrary hooks that would cause the Vault contract to perform arbitrary calls to the address of the user's hooks. As the original issue mentions, some consequences of allowing executions to arbitrary addresses are unauthorized side transactions with gas paid unbeknownst to the claimer, reentrant calls, or denial-of-service attacks on claiming transactions.
Mitigation
The mitigation implements a limit of gas that can be spent on each hook's call, and now the hook's call is made using a try-catch block.
The issue about causing DoS on other users is still present, when using a Claimer to claim a user's prizes in batches, if at least one of the hook's calls reverts, the whole tx claim the user's prizes will be reverted.
Conclusion of the Mitigation and Proof of Concept of the New Bug
The mitigation solves most of the problems described in the original issue, but the problem of causing DoS to claim other user's prizes is still present.
As part of the mitigation, now the hook's calls are made in a try-catch block, and if the hook's call fails, a revert() is executed, and the whole tx to claim prizes will be reverted.
The underlying problem is the same described as in the original issue, this time, a malicious user can set a malicious contract that will always revert as the hook of its account, this will cause when this contract is called, the tx to claim prizes will revert, causing losses to claimers, because the gas they spent attempting to claim the prizes will be paid regardless the tx is reverted or not.
Flow to claim prizes when a Claimer is enabled:
Claimer::claimPrizes() ==> Vault::claimPrize() ==> hookBefore() && PrizePool::claimPrize() && hookAfter()
Coded PoC
Add the next test to the
Vault.t.sol
test file in the Vault repositoryCreate the
MaliciousHook.sol
contract in the src/ foldercontract MaliciousHook {
function beforeClaimPrize( address winner, uint8 tier, uint32 prizeIndex ) external returns (address) { revert("Forcing to revert"); }
}
Running 1 test for test/unit/Vault/Vault.t.sol:VaultTest [FAIL. Reason: BeforeClaimPrizeFailed(0x)] testClaimPrizeMaliciousHookPoC() (gas: 140886) Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 7.24ms Ran 1 test suites: 0 tests passed, 1 failed, 0 skipped (1 total tests)
Failing tests: Encountered 1 failing test in test/unit/Vault/Vault.t.sol:VaultTest [FAIL. Reason: BeforeClaimPrizeFailed(0x)] testClaimPrizeMaliciousHookPoC() (gas: 140886)
Encountered a total of 1 failing tests, 0 tests succeeded
Assessed type
Context