Open c4-bot-10 opened 10 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #20
0xA5DF changed the severity to QA (Quality Assurance)
0xA5DF marked the issue as grade-c
Invalid I don't get how this will lead to an accounting error. Each interaction would increase/decrease only one balance delta, and each balance delta would lead to minting/burning accordingly.
0xA5DF marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/ocean/Ocean.sol#L445
Vulnerability details
Impact
It's possible to insert the same element multiple of times in
ids
andinteractions
when callingdoMultipleInteractions()
. This will lead to improper calculations which might result in minting or burning more than we should.Proof of Concept
Function
doMultipleInteractions()
is an external function, thus it can be called by anyone. It accepts to get two arrays as a parameters:interactions
andids
. Those parameters are not validated and not checked for the duplicates. For the purpose of this PoC, we will calldoMultipleInteractions()
withids
array which contains the same id twice andinteractions
with the same interaction twice.doMultipleInteractions()
calls private function_doMultipleInteractions()
.As we can verify, that function does not perform any additional check related to
ids
orinteractions
It will create multiple of
BalanceDelta()
for the same id:and it will execute the same interaction twice:
Based on doubled interactions and ids, deltas will be calculated twice:
and since deltas won't be calculated properly, both
mintIds
andburnIds
will be calculated differently.As a result, by providing the same ids/interactions twice - user will be able to mint or burn more than he/she should:
Tools Used
Manual code review
Recommended Mitigation Steps
Make sure to check that both
interactions
andids
do not contain the same element in an array.Assessed type
Other