Closed c4-bot-5 closed 5 months ago
Unclear if this has any real impact
GalloDaSballo marked the issue as insufficient quality report
GalloDaSballo marked the issue as primary issue
4. If the attacker's transaction is confirmed by miners before User A's transaction, the attacker will successfully reserve the
_keyId
. User A's transaction will then fail due to thereservedKeys[_userAddress] > 0
check (if they use the same address) or because the attacker has already reserved the_keyId
, resulting in a different_keyId
for User A.
this is not correct assumption, misleading this and blowing it over proportion.
trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/1240a22a3bbffc13d5f8ae6300ef45de5edc7c19/contracts/PowerFarms/PendlePowerFarm/PendlePowerManager.sol#L96-L183 https://github.com/code-423n4/2024-02-wise-lending/blob/1240a22a3bbffc13d5f8ae6300ef45de5edc7c19/contracts/PowerFarms/PowerFarmNFTs/MinterReserver.sol#L77-L94
Vulnerability details
Impact
The
enterFarm
andenterFarmETH
functions in thePendlePowerManager.sol
contract generate new_keyId
s and store them in the correspondingreservedKeys
dictionary by calling the_reserveKey
function fromMinterReserver.sol
.These functions are susceptible to front-running risks.
Proof of Concept
The
enterFarm
andenterFarmETH
functions in thePendlePowerManager.sol
contract allow users to enter farming positions.https://github.com/code-423n4/2024-02-wise-lending/blob/1240a22a3bbffc13d5f8ae6300ef45de5edc7c19/contracts/PowerFarms/PendlePowerFarm/PendlePowerManager.sol#L96-L183
Both functions call the
_reserveKey
function fromMinterReserver.sol
to generate a new_keyId
and store it in thereservedKeys
dictionary.https://github.com/code-423n4/2024-02-wise-lending/blob/1240a22a3bbffc13d5f8ae6300ef45de5edc7c19/contracts/PowerFarms/PowerFarmNFTs/MinterReserver.sol#L77-L94
A potential front-running scenario could unfold as follows:
_keyId
by calling theenterFarm
orenterFarmETH
function._keyId
they are attempting to reserve._keyId
, and sends this transaction with a higher gas fee._keyId
. User A's transaction will then fail due to thereservedKeys[_userAddress] > 0
check (if they use the same address) or because the attacker has already reserved the_keyId
, resulting in a different_keyId
for User A.Tools Used
Manual Review
Recommended Mitigation Steps
Commit-Reveal Scheme: This approach can reduce the risk of front-running by having users first submit a hash ("commit") of their intention, followed by a subsequent transaction to reveal their intent ("reveal"). This ensures that attackers cannot determine the user's actual intent during the "commit" phase.
Access Control: Ensure that only verified or authorized users can reserve
_keyId
s. Although this does not eliminate front-running entirely, it restricts who can perform the operation.Assessed type
Timing