The DelegateFactory::revokeExpiredDelegators function will iterate through the delegators in the system and attempt to withdraw the delegated token for each if they have expired.
The problem lies in the fact that the Delegator::withdrawDelegatedToken function will transfer the EIP-721 asset using the IERC721::safeTransferFrom function which will in turn inform the recipient.
The recipient can then:
Transfer the EIP-721 asset they received back to the Delegator
The above will result in the delegators array being reduced by one on each re-entry incorrectly for the same entry. To avoid out-of-bound access errors, the user can also re-enter the DelegateFactory::deployDelegator function resulting in their newly deposited token overwriting the previously-last entry in the delegators array and thus causing the NFT to be lost.
Impact:
It is presently possible to cause the last entry in the delegators array to be erased incorrectly via a re-entrancy attack, thereby causing it to be lost. The exhibit requires the malicious user to be able to re-enter the DelegateFactory::deployDelegator function thereby reducing the finding's severity to medium.
chasebrownn
commented
7 months ago
DFY-02M: Delegator Removal Re-Entrancy Flaw
Description:
The
DelegateFactory::revokeExpiredDelegatorsfunction will iterate through thedelegatorsin the system and attempt to withdraw the delegated token for each if they have expired.The problem lies in the fact that the
Delegator::withdrawDelegatedTokenfunction will transfer the EIP-721 asset using theIERC721::safeTransferFromfunction which will in turn inform the recipient.The recipient can then:
DelegatorDelegateFactory::revokeExpiredDelegatorsfunction againThe above will result in the
delegatorsarray being reduced by one on each re-entry incorrectly for the same entry. To avoid out-of-bound access errors, the user can also re-enter theDelegateFactory::deployDelegatorfunction resulting in their newly deposited token overwriting the previously-last entry in thedelegatorsarray and thus causing the NFT to be lost.Impact:
It is presently possible to cause the last entry in the
delegatorsarray to be erased incorrectly via a re-entrancy attack, thereby causing it to be lost. The exhibit requires the malicious user to be able to re-enter theDelegateFactory::deployDelegatorfunction thereby reducing the finding's severity to medium.Example:
Recommendation:
We advise the
Delegator::withdrawDelegatedTokenfunction to utilize a normalIERC721::transferFromoperation, and theDelegateFactory::deployDelegatorandDelegateFactory::revokeExpiredDelegatorsfunctions to be non-reentrant preventing the misbehaviour described.