Closed c4-bot-4 closed 8 months ago
0xSorryNotSorry marked the issue as insufficient quality report
Trumpero marked the issue as unsatisfactory: Invalid
Hi @Trumpero
Re-raising this since as you may be aware reorgs do happen on mainnet https://ethereum.org/en/developers/docs/consensus-mechanisms/pos/attack-and-defense#attacks-by-small-stakeholders
On Arbitrum, an L1 reorg would cause an L2 reorg
As far as I can tell, this is a very unlikely but nevertheless legitimate finding, which the mitigation addresses. Here are several instances in the past year in which similar findings were accepted: 2023-01-rabbithole-findings/M-01 2023-04-frankencoin-findings/M-14 2023-08-pooltogether-findings/M-09
@0xEVom Agree that this issue is valid and should be fixed, but it only has low severity. If an attacker creates a term maliciously to receive the votes, this proposal still needs to wait for the 7-day voting duration to be executed. During this time, the Guardian role can cancel it directly, or Guild holders can veto it to cancel, so it doesn't cause any impact. Additionally, this issue has a very unlikely likelihood, and the issue of the chain system should be considered QA as per C4's docs. I mark this as grade-c because it's grade of combination all QA issues from that warden
Trumpero changed the severity to QA (Quality Assurance)
Trumpero marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOnboarding.sol#L153
Vulnerability details
Impact
The
createTerm()
function in theLendingTermOnboarding.sol
contract is vulnerable to a reorg/frontrunning attack. This function deploys a newLendingTerm
contract using OZ'sClone.clone()
, which usescreate()
under the hood. Here, the address derivation depends solely on theLendingTermOnboarding
nonce.The worst-case scenario is an attacker exploiting the predictability of contract creation to manipulate votes, leading to a malicious contract being approved instead of the intended one.
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOnboarding.sol#L153 https://github.com/OpenZeppelin/openzeppelin-contracts/blob/fd81a96f01cc42ef1c9a5399364968d0e07e9e90/contracts/proxy/Clones.sol#L33
This is a Medium severity issues previously reported here an in the referenced reports https://solodit.xyz/issues/m-09-create-methods-are-suspicious-of-the-reorg-attack-code4rena-pooltogether-pooltogether-git
Proof of Concept
The following sequence of events illustrates the vulnerability:
createTerm()
with profitable parametersproposeOnboard()
to propose its onboardingcastVote()
to cast her vote in support of her proposalcreateTerm()
with malicious parameters before Alice's transactions are executed.Tools Used
Manual review
Recommended Mitigation Steps
Use
Clones.cloneDeterministic()
passing a hash of the proposal parameters as the salt.Assessed type
Other