bad Actor can block the operation of mint by creating duplicate order by frunt runing original order
So basically the contracts are doing orders by users RFQ to system whether by API or front end.
and make the mint process the problem is in the contract Ethenaminting.sol in mint() function and in line 172 it checks whether the order is dupp or not but two factor the benefactor and the important one NONCE value and if its the duplicate it will revert so by doing that it makes it Possible for attacker to take advantage of and grief the users and block the mint process completely.
How? The nonce used in the contract isn't an accurate NONCE value it is generated by front end and EVEN users can set themselves an optional nonce value so this makes the opportunity for attacker to front run the tx and create the same order with same nonce and benefactor and mint and redeem and repeat for TARGET user and can easily BLOCK someone from acting of minting.
THE NONCE MECHANISM IS IMPLEMENTED WRONGLY and it is stupid to get nonce from the front end or optional.
THIS IS THE REASON WHY THEY PUT NONCE IN CONTRACT AND INCREASE IT so no one can change it and every call should generate new nonce.
Nonce meaning is new generated number so surprise what the hek if anyone can call mint with any nonce they can, Wait wattt. :)
note:im reporting this issue again because i accidentally reported this before without writing proof of concept part. Thanks
function mint(Order calldata order, Route calldata route, Signature calldata signature)
external
override
nonReentrant
onlyRole(MINTER_ROLE)
belowMaxMintPerBlock(order.usde_amount)
{
if (order.order_type != OrderType.MINT) revert InvalidOrder();
verifyOrder(order, signature);
if (!verifyRoute(route, order.order_type)) revert InvalidRoute();
if (!_deduplicateOrder(order.benefactor, order.nonce)) revert Duplicate();
// Add to the minted amount in this block
mintedPerBlock[block.number] += order.usde_amount;
_transferCollateral(
order.collateral_amount, order.collateral_asset, order.benefactor, route.addresses, route.ratios
);
usde.mint(order.beneficiary, order.usde_amount);
emit Mint(
msg.sender,
order.benefactor,
order.beneficiary,
order.collateral_asset,
order.collateral_amount,
order.usde_amount
);
}
Tools Used
manually. vscode
Recommended Mitigation Steps
Consider Implementing Nonce mechanism inside the contract and Nonce++ (increase it in function )every time someone calls the function it increases so no one can actually change it. FIX THE NONCE INCERASE IT IN CONTRACT AND NO ONE SHOULD BE ABLE TO ENTER NONCE WHEN CALLING FUNCTION.
Lines of code
https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/EthenaMinting.sol#L172-L173
Vulnerability details
Impact
bad Actor can block the operation of mint by creating duplicate order by frunt runing original order
So basically the contracts are doing orders by users RFQ to system whether by API or front end. and make the mint process the problem is in the contract
Ethenaminting.sol
inmint()
function and in line 172 it checks whether the order is dupp or not but two factor the benefactor and the important oneNONCE
value and if its the duplicate it will revert so by doing that it makes it Possible for attacker to take advantage of and grief the users and block the mint process completely.How? The nonce used in the contract isn't an accurate NONCE value it is generated by front end and EVEN users can set themselves an optional nonce value so this makes the opportunity for attacker to front run the tx and create the same order with same nonce and benefactor and mint and redeem and repeat for TARGET user and can easily BLOCK someone from acting of minting.
users can easily access the API and front end and then send requests of RFQ check this out https://i.ibb.co/9GWmqs1/image.png
THE NONCE MECHANISM IS IMPLEMENTED WRONGLY and it is stupid to get nonce from the front end or optional. THIS IS THE REASON WHY THEY PUT NONCE IN CONTRACT AND INCREASE IT so no one can change it and every call should generate new nonce.
Nonce meaning is new generated number so surprise what the hek if anyone can call mint with any nonce they can, Wait wattt. :)
note:im reporting this issue again because i accidentally reported this before without writing proof of concept part. Thanks
Proof of Concept
https://i.ibb.co/9GWmqs1/image.png
Tools Used
manually. vscode
Recommended Mitigation Steps
Assessed type
MEV