bad actor can control over the other peoples voting power in delegate proxy contracts.
lets start from delegateMulti when somebody calls it it leads to _delegateMulti and it calls _processDelegation(source, target, amount); in the process of loop.
it gonna deploy to if needed as the deployProxyDelegatorIfNeeded works that way
now lets look at the function deployProxyDelegatorIfNeeded
function deployProxyDelegatorIfNeeded(
address delegate
) internal returns (address) {
address proxyAddress = retrieveProxyContractAddress(token, delegate);
// check if the proxy contract has already been deployed
uint bytecodeSize;
assembly {
bytecodeSize := extcodesize(proxyAddress)
}
// if the proxy contract has not been deployed, deploy it
if (bytecodeSize == 0) {
new ERC20ProxyDelegator{salt: 0}(token, delegate);
emit ProxyDeployed(delegate, proxyAddress);
}
return proxyAddress;
}
it checks if the proxy address exists already. if yes it will skip
if not it generates address
BUT if we look at how it generates
You can see there is no increasing NOUNCE in the hashing process which is allowing bad actore create address with frontrunning user and creating exat same hash and deploying it as proxy delegate and having control over it and when the user comes to this step deployProxyDelegatorIfNeeded will skip because it already deployed and bad actore has control over it
Lines of code
https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L198
Vulnerability details
Impact
bad actor can control over the other peoples voting power in delegate proxy contracts.
lets start from
delegateMulti
when somebody calls it it leads to_delegateMulti
and it calls_processDelegation(source, target, amount);
in the process of loop.if you look at this function
it gonna deploy to if needed as the
deployProxyDelegatorIfNeeded
works that waynow lets look at the function
deployProxyDelegatorIfNeeded
it checks if the proxy address exists already. if yes it will skip if not it generates address BUT if we look at how it generates
in
retrieveProxyContractAddress
You can see there is no increasing NOUNCE in the hashing process which is allowing bad actore create address with frontrunning user and creating exat same hash and deploying it as proxy delegate and having control over it and when the user comes to this step
deployProxyDelegatorIfNeeded
will skip because it already deployed and bad actore has control over itProof of Concept
https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L198
Tools Used
vs code
Recommended Mitigation Steps
Assessed type
Other