search

hats-finance / Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4

Other
1 stars 2 forks source link

The same message can be sent twice in a single block, make them non block unique. #86

Open hats-bug-reporter[bot] opened 9 months ago

hats-bug-reporter[bot] commented 9 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x0adef3f09cea2362295fd64437b6bfa6a2c09bc54fdf8be53b576a1d241e41bf Severity: medium

Description: Description\ Messages will be non block unique and have the same message identifier when they are sent on the same block. This can be done by sending the same messaages through seperate transactions on the same block. This will make the messages to be non block unique and they will have the same message identifier. https://github.com/catalystdao/GeneralisedIncentives/blob/2448d77e412216283ed75d8c3cbaa1270657f7b5/src/IncentivizedMessageEscrow.sol#L173

Attack Scenario\ The same message can be sent twice in a single block by using multiple trasactions to execute them.

Proof of Concept (PoC) File

Add this tests to MessageIdentifier.t.sol and run forge test on each of them.


    function test_notUnique_identifier_block_11() public {
        vm.roll(11);
        IncentiveDescription storage incentive = _INCENTIVE;
        (, bytes32 messageIdentifier) = escrow.submitMessage{value: _getTotalIncentive(_INCENTIVE)}(
            _DESTINATION_IDENTIFIER,
            _DESTINATION_ADDRESS_THIS,
            _MESSAGE,
            incentive
        );

        assertEq(messageIdentifier, bytes32(0xeaa2656c806ede225c7826a7d7f26fbc0f3ba4c918a54ed06a04842f76fef24b));
    }

    function test2_notUnique_identifier_block_11() public {
        vm.roll(11);
        IncentiveDescription storage incentive = _INCENTIVE;
        (, bytes32 messageIdentifier) = escrow.submitMessage{value: _getTotalIncentive(_INCENTIVE)}(
            _DESTINATION_IDENTIFIER,
            _DESTINATION_ADDRESS_THIS,
            _MESSAGE,
            incentive
        );

        assertEq(messageIdentifier, bytes32(0xeaa2656c806ede225c7826a7d7f26fbc0f3ba4c918a54ed06a04842f76fef24b));
    }

Poc File attached below

Potential fix

Verify that the same message can't be sent twice on the same block through different transactions.

Files:

reednaa commented 9 months ago

Both tests are run in seperate and clean vms.