Attacker can temporarily DOS safe creation for other users

[c4-bot-2]

Lines of code

https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Factory.sol#L138-L194 https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Create.sol#L649

Vulnerability details

Impact

A griefer can frontrun or use a known victim's address to call gnosis safe factory to create a safe wallet with an exact payload as the Factory.sol one, since this safe wasn't created with the re-nft factory it won't be registered and as a result can't rent tokens.

Proof of Concept

Only safes created with the re-nft factory contract can receive rented items, here we can see https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Factory.sol#L189

        safe = address(
            safeProxyFactory.createProxyWithNonce(
                address(safeSingleton),
                initializerPayload,
                uint256(keccak256(abi.encode(STORE.totalSafes() + 1, block.chainid)))
            )
        );

        // Store the deployed safe.
        STORE.addRentalSafe(safe);

that the factory interacts with the gnosis safe factory to create and register a safe. Later we query the storage module to validate the safe who is about to receive the borrowed item https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Create.sol#L530-L538 https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Create.sol#L649

    function _rentFromZone(
        RentPayload memory payload,
        SeaportPayload memory seaportPayload
    ) internal {
        // Check: make sure order metadata is valid with the given seaport order zone hash.
        _isValidOrderMetadata(payload.metadata, seaportPayload.zoneHash);

        // Check: verify the fulfiller of the order is an owner of the recipient safe.
        _isValidSafeOwner(seaportPayload.fulfiller, payload.fulfillment.recipient);

Safes that weren't created by the re-nft factory won't work. The attack idea is as follows:

• since the re-nft factory only uses totalSafes counter for entropy, it's pretty easy to copy the payload using victim's address and a threshold value(which is probably 1) and create a safe with the gnosis safe factory, bypassing the re-nft factory
• the victim will be blocked from the safe creation in the re-nft factory and will have to either change the owners and threshold value or wait for the totalSafes counter to update (attacker can create multiple safes with different totalSafes values as a salt though)

  Tools Used

  Manual review

  Recommended Mitigation Steps

  Use a pseudo random value instead of the totalSafes counter as a salt, this way it will be harder to predict the salt value to implement a long term DOS.

Assessed type

DoS

[c4-pre-sort]

141345 marked the issue as duplicate of #443

[c4-judge]

0xean marked the issue as satisfactory

[c4-judge]

0xean changed the severity to QA (Quality Assurance)

[c4-judge]

0xean marked the issue as grade-c