bad Actor can block the operation of mint by creating duplicate order by frunt runing original order

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/EthenaMinting.sol#L172-L173

Vulnerability details

Impact

bad Actor can block the operation of mint by creating duplicate order by frunt runing original order

So basically the contracts are doing orders by users RFQ to system whether by API or front end. and make the mint process the problem is in the contract Ethenaminting.sol in mint() function and in line 172 it checks whether the order is dupp or not but two factor the benefactor and the important one NONCE value and if its the duplicate it will revert so by doing that it makes it Possible for attacker to take advantage of and grief the users and block the mint process completely.

How? The nonce used in the contract isn't an accurate NONCE value it is generated by front end and EVEN users can set themselves an optional nonce value so this makes the opportunity for attacker to front run the tx and create the same order with same nonce and benefactor and mint and redeem and repeat for TARGET user and can easily BLOCK someone from acting of minting.

users can easily access the API and front end and then send requests of RFQ check this out https://i.ibb.co/9GWmqs1/image.png

THE NONCE MECHANISM IS IMPLEMENTED WRONGLY and it is stupid to get nonce from the front end or optional. THIS IS THE REASON WHY THEY PUT NONCE IN CONTRACT AND INCREASE IT so no one can change it and every call should generate new nonce.

Nonce meaning is new generated number so surprise what the hek if anyone can call mint with any nonce they can, Wait wattt. :)

note:im reporting this issue again because i accidentally reported this before without writing proof of concept part. Thanks

Proof of Concept

https://i.ibb.co/9GWmqs1/image.png

 function mint(Order calldata order, Route calldata route, Signature calldata signature)
    external
    override
    nonReentrant
    onlyRole(MINTER_ROLE)
    belowMaxMintPerBlock(order.usde_amount)
  {
    if (order.order_type != OrderType.MINT) revert InvalidOrder();
    verifyOrder(order, signature);
    if (!verifyRoute(route, order.order_type)) revert InvalidRoute();
    if (!_deduplicateOrder(order.benefactor, order.nonce)) revert Duplicate();
    // Add to the minted amount in this block
    mintedPerBlock[block.number] += order.usde_amount;
    _transferCollateral(
      order.collateral_amount, order.collateral_asset, order.benefactor, route.addresses, route.ratios
    );
    usde.mint(order.beneficiary, order.usde_amount);
    emit Mint(
      msg.sender,
      order.benefactor,
      order.beneficiary,
      order.collateral_asset,
      order.collateral_amount,
      order.usde_amount
    );
  }

Tools Used

manually. vscode

Recommended Mitigation Steps

• Consider Implementing Nonce mechanism inside the contract and Nonce++ (increase it in function )every time someone calls the function it increases so no one can actually change it. FIX THE NONCE INCERASE IT IN CONTRACT AND NO ONE SHOULD BE ABLE TO ENTER NONCE WHEN CALLING FUNCTION.
• Consider removing revert

Assessed type

MEV

[c4-pre-sort]

raymondfam marked the issue as low quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #145

[c4-judge]

fatherGoose1 marked the issue as unsatisfactory: Invalid