Closed c4-bot-4 closed 5 months ago
JustDravee marked the issue as duplicate of #1103
JustDravee marked the issue as duplicate of #489
JustDravee marked the issue as sufficient quality report
koolexcrypto marked the issue as not a duplicate
koolexcrypto marked the issue as duplicate of #1266
koolexcrypto marked the issue as satisfactory
koolexcrypto marked the issue as duplicate of #930
Lines of code
https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/VaultManagerV2.sol#L143
Vulnerability details
Impact
withdraw method can be blocked permanently for all ids for each block.
Proof of Concept
depsoit amount for a note id by design can't be withdrawn immediately, The user should wait for the next block to be able to withdraw his amount, Ethereum generate new block every 12 seconds, meaning the user who make a deposit he should wait at least a 12 seconds to be able to withdraw, which is on purpose as the protocol made this protection against flash loan attacks or any deposit and withdraw in one time transaction.
However, because of this condition idToBlockOfLastDeposit[id] = block.number, it can cause DoS and block the withdraw method, a simple scenario that Bob can call deposit method and pass any note id with 1 WEI of depsoit amount to any Vault:
A simple scenario:
block.number
now stored in idToBlockOfLastDeposit at id 5.It seems a short time to wait, and Alex wasn't blocked for long time. However, this unfortunately could not be the case, Bob could use this bug to achieve a full block for many ids for many consecutive blocks.
The critical scenario:
This attack will cost nothing except the TX fee.
Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
DoS