Open c4-bot-8 opened 2 months ago
Hey @alex-ppg, keeping these issue in loop with supporting comments provided by warden in issue #106
Hey @mcgrathcoutinho, thank you for the PJQA contribution. I will preface all validation repository finding responses by stating that they are not evaluated by judges directly and are only evaluated by the validators if they are deemed unsatisfactory.
The same rationale as laid out in #106 applies here.
This paragraph is included in all of my responses and confirms that no further feedback is expected in this submission as PJQA has concluded. You are free to refute any of my statements factually, however, I strongly implore you to do this with actual code references and examples.
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOManager.sol#L57
Vulnerability details
Summary
Context: Function initProject() allows anyone to create a project by passing InitProjectParams.
Issue: The issue is that an attacker can frontrun the project creator by submitting the same InitProjectParams parameters. This would give him the admin ownership of the project as seen here.
Proof of Concept
Original creator calls function initProject() to create a new project.
The attacker calls the same function with the same parameters and pays gas at a higher gas price to frontrun the creator.
Once the attacker's call executes first, the project is cached permanently with the admin being the attacker.
Tools Used
Manual Review
Recommended Mitigation Steps
Currently there is no direct mitigation to this since any transaction could be frontrun. The only solution is to introduce a registration mechanism where the owner can create the project for the respective team. I'd recommend exploring more solutions to this (if any).
Assessed type
DoS