Open hats-bug-reporter[bot] opened 1 month ago
I believe this was audited on the main
branch before it was switched to dev
as the recommended mitigation is already part of the code.
The other point about manipulating the average magnitude with a lot of https://github.com/code-423n4/2024-02-tapioca-findings/issues/56 Which although mathematically possible, we still need to take into perspective the environment and external factors of contract as explained here.
Let us know if we missed something!
Github username: @GalloDaSballo Twitter username: GalloDaSballlo Submission hash (on-chain): 0x408ef4be9da5c0d0c07eb233833befcfcd651e8883c0978ee27a43016272a49c Severity: medium
Description:
This report combines two ideas I had already sent:
By combining the two, we can construct the following attack:
1000
), which will cause locks to have a very short durationWe can abuse this to make every lock still not pass the check required to create new locks as we can find a lock for which one of the two condition is broken:
Since we can achieve a very small cumulative, but the contract enforces a duration of at least one week, no new lock can be created
MATH
The POC demonstrates that we can get cumulative to be: 603800
POC
Full Repo (invite only, please DM me): https://github.com/GalloDaSballo/math-tester-fixed/tree/feat-hats
The coded poc shows how we can achieve a small cumulative and a small averageMagnitude
By being able to achieve both, we put twTAP in a position that cannot be recovered except by the attacker
The POC is written by changing the original POC I had written, to use the new code for twTAP, and was run with Echidna on Recon
Complete Logs are available here: https://getrecon.xyz/dashboard/jobs/6963fc25-f011-4ebd-b843-eb321e0224da
Parsing the logs we get the following POC, in foundry:
Logs
Which show that the cumulative is so low that no new locks can be created
Mitigation
I believe that my finding around manipulating the averageMagnitude should be reviewed and the logic for average should be changed: https://github.com/code-423n4/2024-02-tapioca-findings/issues/56
To mitigate this attack directly, the cumulative should be floored at ONE_WEEK, meaning that any time it goes below, the value should be brought back up
Alternatively the check for magnitude * 4 should be refactor to allow ONE_WEEK locks to be recreated