Closed c4-bot-1 closed 3 months ago
JustDravee marked the issue as duplicate of #489
JustDravee marked the issue as sufficient quality report
koolexcrypto marked the issue as unsatisfactory: Invalid
koolexcrypto marked the issue as unsatisfactory: Invalid
koolexcrypto marked the issue as nullified
koolexcrypto marked the issue as not nullified
koolexcrypto marked the issue as duplicate of #1001
koolexcrypto marked the issue as satisfactory
koolexcrypto changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2024-04-dyad/blob/49fb7174576e5147dc73d3222d16954aa641a2e0/src/core/VaultManagerV2.sol#L119-L131 https://github.com/code-423n4/2024-04-dyad/blob/49fb7174576e5147dc73d3222d16954aa641a2e0/src/core/VaultManagerV2.sol#L134-L153
Vulnerability details
Impact
The exploitation of the
block.number
dependency bug can lead to a denial of service where legitimate users are unable towithdraw
their funds. This undermines the trust in the system and can lead to financial losses and reputational damage for the platform.Proof of Concept
The
VaultManagerV2::deposit
lacks a check to ensure that the caller is the DNft holder. This omission could potentially result in a serious problem.This can be manupilated by
miner
ornon-miner
lets go through the one by one exampleHere's how a miner could execute this attack:
Monitor Mempool: The miner monitors the mempool for
withdraw
transactions related to a specific id.Prepare Deposit: Upon detecting a
withdraw
transaction, the miner prepares adeposit
transaction for the same id.The miner can use any account to perform this deposit, including their own.
Construct Block: When constructing the next block, the miner includes their own deposit transaction before the user's withdraw transaction.
Mine Block: The miner mines the block, ensuring that their
deposit
transaction is included first.Publish Block: The miner publishes the block to the blockchain.
Withdrawal Fails: When the block is confirmed, the
withdraw
transaction is processed after the deposit transaction. The withdraw transaction fails because the check inVaultManagerV2::withdraw
now matches the current block number, triggering the
DepositedInSameBlock
revert condition.Here's a step-by-step explanation of how a non-miner might carry out this attack:
Monitor Mempool: The attacker monitors the mempool for
withdraw
transactions related to a specific id using a Web3 provider or blockchain explorer API.Craft Deposit Transaction: Upon detecting a
withdraw
transaction, the attacker quickly creates adeposit
transaction for thesame id
.Increase Gas Price: The attacker sets a higher gas price for their
deposit
transaction to incentivize miners to prioritize and include it in the next block before the pending withdraw transaction.Broadcast Deposit Transaction: The attacker broadcasts their
deposit
transaction to the network.Miners Include Deposit First: Miners, motivated by the higher gas fees, include the attacker's
deposit
transaction in the next block before thewithdraw
transaction.Withdrawal Fails: When the
withdraw
transaction is processed, it fails because the check inVaultManagerV2::withdraw
matches the current block number due to the inclusion of the attacker's
deposit
transaction, triggering theDepositedInSameBlock
revert condition.Repeat: The
miner
andnon-miner
can continue this strategy for subsequent blocks, effectively preventing the user from withdrawing by ensuring that a deposit transaction for the same id always precedes any withdraw transaction in the block orderTools Used
Manual Review
Recommended Mitigation Steps
allow deposits only from the owner of the DNft, ensure that the
VaultManagerV2::deposit
function includes a check to verify the caller's ownership status.Assessed type
DoS