Closed c4-submissions closed 11 months ago
Rescinding is permissionless after DT expiration. Extending is optional for the PT owner. Anonymous stealth addresses do not matter here, the PT owner can simply not extend for identical behavior. Not a bug, intended behavior.
0xfoobar (sponsor) disputed
GalloDaSballo changed the severity to QA (Quality Assurance)
Possible griefing but if a person owns both tokens they can always claim their underlying
GalloDaSballo marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L325-L336 https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L339-L350
Vulnerability details
Impact
There are 2 truths:-
extend
allows to increase the expiry timestamp of the particular Delegate Token Id.rescind
, it allows anyone to forcefully return the DelegateToken Id back to the PT owner if it has expired.Now, if we combine the effects of these two functions, they have the following impact.
Example:- PT owner has delegated a BAYC NFT. The delegated owner of the NFT privately requests the PT owner to extend the delegation rights in anticipation of an airdrop. PT owner privately takes $5000 from DT owner as their share in speculation of an airdrop. PT owner calls
extend
as per the deal. But privately they front run their own call by callingrescind
through an Anonymous address, this transfers the DT token back to the principal Token owner.End result is:- PT owner now owns DT as well. There's no way to prove that the PT owner was behind the attack.
Proof of Concept
Paste this test in DelegateToken.t.sol and run forge test --mt testPTRugsDT
Tools Used
Manual
Recommended Mitigation Steps
Create another function(say FinalRescind) that should need to be called after a block gap after the rescind call which will actually transfer the DT. We will again check for expiry conditions in FinalRescind also so that the extend call has the appropriate effect.
Assessed type
DoS