The createPool function in the EdgeStakingPoolCreator and AssertionStakingPoolCreator contracts uses a salt value of zero when creating a new pool. The salt value should be unique for each pool instance to prevent potential vulnerabilities.
Proof of Concept
The createPool function uses a hardcoded salt value of 0 when creating new EdgeStakingPool and AseertionStakingPool instances.
function createPool(
address challengeManager,
bytes32 edgeId
) external returns (IEdgeStakingPool) {
EdgeStakingPool pool = new EdgeStakingPool{salt: 0}(challengeManager, edgeId);
emit NewEdgeStakingPoolCreated(challengeManager, edgeId);
return pool;
}
The zero value is predictable and can be exploited by malicious actors who may attempt to interfere with the contract creation process.
Tools Used
Manual review
Recommended Mitigation Steps
Incorporating a unique identifier, such as a nonce, timestamp, or a combination of both, to generate a unique salt value.
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/assertionStakingPool/AssertionStakingPoolCreator.sol#L15-L22 https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/assertionStakingPool/EdgeStakingPoolCreator.sol#L15-L22
Vulnerability details
Impact
The createPool function in the EdgeStakingPoolCreator and AssertionStakingPoolCreator contracts uses a salt value of zero when creating a new pool. The salt value should be unique for each pool instance to prevent potential vulnerabilities.
Proof of Concept
The createPool function uses a hardcoded salt value of 0 when creating new EdgeStakingPool and AseertionStakingPool instances.
The zero value is predictable and can be exploited by malicious actors who may attempt to interfere with the contract creation process.
Tools Used
Manual review
Recommended Mitigation Steps
Incorporating a unique identifier, such as a nonce, timestamp, or a combination of both, to generate a unique salt value.
Assessed type
Other