search

code-423n4 / 2024-07-reserve-findings

5 stars 4 forks source link

DutchAuction and BatchAuction is suspected to reorg attack #117

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/Broker.sol#L246 https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/Broker.sol#L283

Vulnerability details

Impact

Impact: High - funds[::sellAmount] can be stolen Likelihood: Low - as it requires an event of block reorganizations. Overall: Medium

Proof of Concept

As mentioned in the report's title, reorgs can occur in all EVM chains and most likely on L2's like Arbitrum or Polygon, and as stated in the protocol's README Reserve is compatible with L2,s and even with mainnet, here are some reference links for some previous reorgs that happened in the past: Ethereum Polygon - 2 years ago, this is with 120 blocks depth which means 4 minutes of re-written tx's Optimistic rollups (Optimism/Arbitrum) are also suspect to reorgs since if someone finds a fraud the blocks will be reverted, even though the user receives a confirmation. These are the biggest events of reorgs that happened, here is a link for forked blocks, which means excluded blocks as a result of "Block Reorganizations" on Polygon: https://polygonscan.com/blocks_forked?p=1, where can be observed that at least two-digit block reorgs happen every month.

The vulnerability here is that Trade Auction creators rely on address derivation in advance or when trying to deploy the same address on different chains, any funds sent to the deployed contracts can be stolen.

Imagine the following scenario:

Alice calls opentrade and deploys a new Auction contract and funds it with sellAmount. Bob has an active bot that observes the blockchain and alerts in reorg. Bob calls one of the forementioned create functions Thus an Auction is created with an address to which Alice sends the tokens. Finally Alice's tx is executed and an Auction is funded which Bob controls.

Tools Used

Manual Review

Recommended Mitigation Steps

Use CREATE2 with salt that inlcudes msg.sender.

Note: The same attack vectors also applies to deploying a contracts through proxies in Deployer.sol

Assessed type

Library

c4-judge commented 2 months ago

thereksfour marked the issue as unsatisfactory: Invalid