c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-11-canto/blob/main/asD/src/asDFactory.sol#L33-L39

Vulnerability details

Impact

asD's are created from the asDFactoryvia CREATE1, an attacker can frontrun create to deploy at the same address but with different config. If the deployed chain reorg, a different asD might also be deployed at the same address.

Proof of Concept

    function create(string memory _name, string memory _symbol) external returns (address) {
        asD createdToken = new asD(_name, _symbol, msg.sender, cNote, owner());
        isAsD[address(createdToken)] = true;
        emit CreatedToken(address(createdToken), _symbol, _name, msg.sender);
        return address(createdToken);
    }

A simple scenario to demonstrate the issue:

Bob setup a bot to monitor the mempool when a new asD token is deployed
Bob's bot saw a deployment by a user at 0x76jute98...., fire a tx to mint immediately
Alice frontrun asD deployment by deploying a malicious asD at 0x76jute98....
Bob's transaction ended up into Alice's malicious asD

Tools Used

Manual review

Recommended Mitigation Steps

Use CREATE2 and the asD config as salt.

Assessed type

Other

c4-pre-sort commented 12 months ago

minhquanym marked the issue as primary issue

c4-pre-sort commented 12 months ago

minhquanym marked the issue as duplicate of #313

c4-judge commented 11 months ago

MarioPoneder changed the severity to QA (Quality Assurance)

c4-judge commented 11 months ago

MarioPoneder marked the issue as grade-c

c4-judge commented 11 months ago

MarioPoneder marked the issue as grade-b

code-423n4 / 2023-11-canto-findings

Reorg attack in asDFactory #293

Lines of code

Vulnerability details

Impact

Proof of Concept

A simple scenario to demonstrate the issue:

Tools Used

Recommended Mitigation Steps

Assessed type