Open hats-bug-reporter[bot] opened 2 months ago
Intended design to be an open ecosystem of custom smart contracts, so vetting of trustworthy contracts is a responsibility for wallets and community tools built.
On the second topic of re-entrancy, there is no harm as far as we can see without an explicit re-entrancy lock, nor does your issue highlight one.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xefcb418ed363eeb90786d2a691e2549a39478f275e9ba99d122a8abed3508b62 Severity: medium
Description:
Impact
Gas-griefing: Loss of native token up to the
block.gaslimit
with each vulnerable transaction Potential loss of funds or value upon re-entrancy attacksNote: as this vulnerability is by design of the current system I decided to submit it as a single medium severity combining both the gas-griefing and the re-entrancy issue into a single submission
Description
Groups are required to set up a mint policy that can be any address with
registerGroup
and also can set up an arbitrary treasury viaregisterCustomGroup
. This flexibility gives way for a lot of attacks against users who attempt to interact with groups such as minting their circle.Hub.sol
-registerCustomGroup()
Vulnerable functions
The following functions called can spend up to the
block.gaslimit
funds of the sender and re-enter functions ofcircle-v2
contractsHub.groupMint()
treasury.onERC1155Received()
policy.beforeMintPolicy()
policy.beforeBurnPolicy()
policy.beforeRedeemPolicy()
Proof of Concept
Here are two examples of these kind of attacks:
Group Mint re-entrancy Loss of Value
Hexagon
group has a popularCircle
token that has a trade-able market value of$10
10000
hexagonCircle
with validcollateral
callinggroupMint()
: expects a $10 value ofhexagonCircle
s to be minted aka total of $100k_groupMint()
callssafeBatchTransferFrom()
->treasury.onERC1155Received()
can immediately sell group ownedhexagonCircle
s andcollateral
from thevault
to dump the token price to$5
10000
hexagonCircle
s but with a value of only $50k instead of $100kGas-griefing burn and redeem policy
Hexagon
group is incentivized to mint as many tokens forcollateral
tokens to theirvault
MintPolicy
that spends as much gas as possible onredeems
andburns
of the treasury to punish users who intend to redeem or burn their tokenredeem
andburn
will pay gas costs up to theblock.gaslimit
because of arbitrary.beforeRedeemPolicy()
and.beforeBurnPolicy()
gas spendsNote they can also upgrade the
MintPolicy
if it's an upgradeable contract to suddenly gas-grief usersRecommendation
Consider to add reentrancy guards to all of the publicly available functions.
Consider to disallow arbitrary addresses as treasuries and mint policies as they can be very dangerous, instead try to design a more customize-able mint policy and treasury and deploy it during
registerGroup()
: e.g. only deployed policies and treasuries from theHub
would be enabled to used by the contracts. While this would reduce flexibility of the codebase, it would marginally improve safety.