Open hats-bug-reporter[bot] opened 3 months ago
The centralization of the solution is intended and also the "power" we gave to the updater, so I think this issue is out of scope, while it's true that in some (rare) cases the updater might frontrun some reward claims by the users.
Github username: -- Twitter username: ACai_sec Submission hash (on-chain): 0x7011a8e98973aebddf0f05540dbc52f968fb41c0bfbe626f5a2fd34dfd977bf0 Severity: high
Description: Description:
The
distributeRewards
function within a smart contract framework allows an authorizedupdater
to set and update the Merkle root (root
) and associated data (data
) for campaign reward distributions. This function is crucial as it defines the basis for validating reward claims through Merkle proofs, ensuring that rewards are distributed according to the predefined and immutable conditions of a campaign.However, the current implementation permits the
updater
to change the Merkle root of a campaign an unlimited number of times without any checks on the frequency, necessity, or impact of such changes. This flexibility, while ostensibly providing operational fluidity, introduces significant vulnerabilities in terms of data consistency, trust, and security of the funds involved in these campaigns.The primary concern arises from the ability to alter the Merkle root at any point, which can invalidate previously valid proofs, disrupt the ongoing reward claims process, and potentially facilitate fraudulent activities if the
updater
role is compromised.Attack Scenario:
The vulnerability of unrestricted updates to the campaign Merkle root can lead to significant inconsistencies and disruptions from an operational perspective, compromising the integrity of the reward distribution process.
Data Inconsistency: Frequent changes to the Merkle root can severely disrupt the consistency of global data within the smart contract. Each update to the root potentially alters the entire reward distribution landscape for the campaign.
Unintended Consequences: Since the Merkle root directly affects which transactions are considered valid, changes can unintentionally affect the outcome of pending transactions. For example, a user who initiates a reward claim just before an unexpected root update might find their transaction failing because the proof no longer matches the new root. This affects the user’s ability to claim rewards.
Attachments:
Proof of Concept (PoC):
Scenario Setup: A number of users have participated in a campaign and received their respective Merkle proofs based on the initial root, which validates their claims to certain rewards. The gobal variable has calculated base on this root, like
reward.claimed
andreward.unclaimed
.Action by Contract Administrator (Updater):
Impact on Users: Right after the update, a user who attempts to claim their reward finds that their previously valid Merkle proof no longer matches the new root. Their transaction is reverted, and the claim is denied.