An attacker can lock his/her funds for a victim player using the lockOnBehalf() method.
However, this action triggers the _lock() method which reset the lockedToken.unlockTime.
Because there is no minimum quantity to lock, an attacker can reset the lockedToken.unlockTime of a victim indefinitely. This is a DoS attack on the unlock functionality of the victim.
This method resets the lockedToken.unlockTime of the lockRecipient address. Even if the attacker locks 1 wei on behalf of lockRecipient, the lockedToken.unlockTime is set again at least to lockdrop.minLockDuration:
So, an attacker can postpone the unlockTime of a victim indefinitely, because the victim will not be able to call the unlock method successfully (line 410):
Only a pre-authorized address should be able to lock funds on behalf of another address. So, we suggest to introduce a mapping to track pre-authorized addresses and add/remove methods to manage them.
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L274-L294
Vulnerability details
Impact
An attacker can lock his/her funds for a victim player using the lockOnBehalf() method. However, this action triggers the
_lock() method
which reset thelockedToken.unlockTime
. Because there is no minimum quantity to lock, an attacker can reset thelockedToken.unlockTime
of a victim indefinitely. This is a DoS attack on theunlock
functionality of the victim.Proof of Concept
The lockOnBehalf() method allows to lock own funds for another address:
This method resets the
lockedToken.unlockTime
of thelockRecipient
address. Even if the attacker locks 1 wei on behalf oflockRecipient
, thelockedToken.unlockTime
is set again at least tolockdrop.minLockDuration
:So, an attacker can postpone the unlockTime of a victim indefinitely, because the victim will not be able to call the
unlock method
successfully (line 410):Tools Used
Visual inspection
Recommended Mitigation Steps
Only a pre-authorized address should be able to lock funds on behalf of another address. So, we suggest to introduce a mapping to track pre-authorized addresses and add/remove methods to manage them.
Assessed type
DoS