DoS Any Controller by Frontrunning Creation with a Codehash Change

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatMarketControllerFactory.sol#L294

Vulnerability details

Impact

Any controller contract can be DoSed by sending a 1 wei transaction to the controller address that will be created for a user.

When an account has no code and has never been interacted with, the codehash will be bytes32(0).

This will result in controller creation succeeding at this line https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatMarketControllerFactory.sol#L294

However, when an account has had a transaction sent to it, the codehash changes to keccak256(“”) (c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470). The require statement then fails because codehash does not equal bytes32(0) and creation will be reverted despite no code being at that address.

This is a high impact because you can stop any controller contracts from ever being created.

Proof of Concept

contract CodehashTest {

function notZeroCodeHash() external payable returns(bytes32 firstCodeHash, bytes32 secondCodeHash) { // Random address that has had 0 interactions firstCodeHash = address(0xc93356BdeAf3ceA6284A6Cc747fa52DD04AfB2A7).codehash; payable(0xc93356BdeAf3ceA6284A6Cc747fa52DD04AfB2A7).transfer(1); secondCodeHash = address(0xc93356BdeAf3ceA6284A6Cc747fa52DD04AfB2A7).codehash; }

}

Tools Used

Manual

Recommended Mitigation Steps

Add && != bytes32(c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470) to the require.

Assessed type

DoS

[c4-pre-sort]

minhquanym marked the issue as duplicate of #531

[c4-judge]

MarioPoneder marked the issue as duplicate of #491

[c4-judge]

MarioPoneder marked the issue as partial-25

[c4-judge]

MarioPoneder marked the issue as satisfactory

[MarioPoneder]

found 1/3 instances, see primary

[c4-judge]

MarioPoneder marked the issue as partial-25