When calling LockManager::lockOnBehalf with _tokenContract as address(0), _quantity as 0, _onBehalfOf as their target victim and sending zero value they can effectively increase the unlockTime for the locked ETH that the victim has locked since the LockManager::_lock function always increses the unlocktime:
The test passes, indication that the new unlocktime for user's "alice" ETH was reset by user "janice" while not spending any ETH except for gas in the process.
Tools Used
Manual review + node tests
Recommended Mitigation Steps
Validate that the quantity sent is greater than zero or greater than a specified amount when ETH is being sent.
Or create a way to only let certain users lock on behalf of other users.
This mitigation will depend on how the project devs want their protocol to work.
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L275
Vulnerability details
Impact
When calling
LockManager::lockOnBehalf
with_tokenContract
asaddress(0)
,_quantity
as0
,_onBehalfOf
as their target victim and sending zero value they can effectively increase theunlockTime
for the locked ETH that the victim has locked since theLockManager::_lock
function always increses the unlocktime:Only cost for the attacker would be the gas spent to perform this action.
Proof of Concept
To verify this I added a test on the
lock.test.ts
file at line 383 to verify that any user can increse this unlock time:The test passes, indication that the new unlocktime for user's "alice" ETH was reset by user "janice" while not spending any ETH except for gas in the process.
Tools Used
Manual review + node tests
Recommended Mitigation Steps
Validate that the quantity sent is greater than zero or greater than a specified amount when ETH is being sent. Or create a way to only let certain users lock on behalf of other users. This mitigation will depend on how the project devs want their protocol to work.
Assessed type
Invalid Validation