1155Tech share market created from createNewShare is susceptible to reorg

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-11-canto/tree/main/1155tech-contracts/src/Market.sol#L118

Vulnerability details

Impact

The createNewShare function in the 1155Tech Market contract allows for the creation of shares susceptible to reorg attacks on certain chains like Arbitrum, Optimism, and Polygon.

Sponsor confirmed 1155tech could be deployed on different chain:

The impact is severe, as a malicious actor can exploit the reorg vulnerability during the share market listing event. If users rely on share IDs obtained in advance and initiate buy actions based on them, a malicious actor could frontrun the process during a reorg, resulting in the unauthorized sale of shares and the theft of user funds.

Proof of Concept

1. Alice starts a new share market and promotes her share ID.
2. Users obtain the share ID and initiate buy actions based on it.
3. Bob notices a reorg, frontruns createNewShare to obtain the share ID.
4. Alice's createNewShare is executed, assigning a new share ID (+1).
5. Users' pendinbuy transactions execute, unintentionally buying shares from Bob, leading to unintended profits for Bob.

Tools Used

Manual Review

Recommended Mitigation Steps

To address this critical vulnerability, it is recommended to add a warm-up period to shareData before buy/sell transactions can take place. This ensures that a sufficient amount of time has passed, making reorg attacks impossible during the creation of new shares.

References

• Report on Reorg Attack

Assessed type

MEV

[c4-pre-sort]

minhquanym marked the issue as duplicate of #313

[c4-judge]

MarioPoneder changed the severity to QA (Quality Assurance)

[c4-judge]

MarioPoneder marked the issue as grade-c

[c4-judge]

MarioPoneder marked the issue as grade-b