Open c4-bot-5 opened 3 months ago
DadeKuma marked the issue as insufficient quality report
This issue is similar to the approve race condition which is capped to NC/Invalid according to the SC: https://docs.code4rena.com/awarding/judging-criteria/supreme-court-decisions-fall-2023#verdict-approve-race-condition-suggested-nc-or-invalid
The mitigation does not solve the issue as it can be front-run anyway.
OpenCoreCH marked the issue as unsatisfactory: Invalid
Hey @ZanyBonzy,
The issue is conceptually similar to the approval frontrunning issue in the sense that in both cases a user A (here the admin) decreases a balance (here shares, in the approval frontrunning an approval which can be used to transfer tokens) and the user could frontrun this call to benefit from the old balance. That being said, Invalid was a bit harsh because the issue is technically valid. I just do not think that it is a valid medium because the function works as intended. If the admin really wanted to increase or decrease by a certain value (which is not clear to me that this will ever be needed), they could do this via a small helper contract that queries the balance and increases / decreases it in the same tx. But like you said, in the case of decreasing, the only improvement in the case of decreasing would be that the call reverts, materially nothing is changed. Maybe that would help the admin to detect this behaviour, but they could also detect it easily with the current implementation (in the end, all transactions are public).
OpenCoreCH changed the severity to QA (Quality Assurance)
OpenCoreCH marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2024-03-acala/blob/9c71c05cf2d9f0a2603984c50f76fc8a315d4d65/src/orml/rewards/src/lib.rs#L253-L261
Vulnerability details
Impact
The
set_share
function presumably allows the admin to set the number of a user's shares.The issue with the function is that due to the comparisons of the
new_share
with oldshare
, a user can frontrun the call, to initially remove his shares, and the turning his shares_and_withdrawn_rewards to 0, and then backrunning the call to add his previously removed shares. If the pool is the NATIVE currency pool, the user can simply unbond and rebond once the admin's call is executed.Because the user has removed his shares, his share is now 0, thus, the
new_share
will always be more, thus calling theadd_share
function and adding thenew_share
to his account, getting way more shares that is desired.Proof of Concept
Two test cases are shown below, copy and paste them into tests.rs
Tools Used
Manual code review
Recommended Mitigation Steps
Instead of directly setting shares, use an increase/decrease shares functions instead. A pause functionality can also be implemented to temporarily halt shares removal just before the shares can be set.
Assessed type
Other