Closed sherlock-admin2 closed 5 months ago
Invalid/Low this is the same of front-running the initializing on proxies that has been standardized as low.
Invalid based on similar impacts of the following sherlock rule. A redeployment can be initiated
- Front-running initializers: Front-running initializers where there is no irreversible damage or loss of funds & the protocol could just redeploy and initialize again is not a valid issue.
John_Femi
medium
Griefing Attack on TOFT and mTOFT contract deployment
Summary
The
TOFTVault
is deployed and ownership transferred to zero address, then themTOFT
orTOFT
is expected to claim ownership of the vault on deployment, but the delay between the deployment of the vault and claiming of ownership of vault can be exploited and an attacker claim ownership by frontrunning theTOFT
contract deployment, causing the deployment to revert but expensive gas fee still paid.Vulnerability Detail
In the constructor of the
TOFTVault
the ownership of the vault is transferred to the address 0 as seen at https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/TOFTVault.sol#L43The claimOwnership function has no access control and anyone can call the function as seen at https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/TOFTVault.sol#L73
It is expected that
TOFT
claims the vault ownership here at https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/TOFT.sol#L83But the time difference between the two contract deployments opens up the possibility of an attacker monitoring the mempool to call the
claimOwnership
function ahead of theTOFT
contract deployment fulfillment. Though this causes no loss of funds, the contract deployment fails and the expensive deployment gas fee is still spent, causing grief to the team on the deployment of theTOFT
ormTOFT
contract. Deploying anotherTOFTVault
and repeating the same process yields the same resultImpact
Medium Impact as it causes no huge loss of funds except the ones spent on gas but can cause grief on the project by delaying the launch and deployment of the
TOFT
smart contractCode Snippet
Tool used
Manual Review, Forge
Recommendation
Instead of claiming ownership on contract deployment, deploy the TOFT contract and have an
admin/onlyOwner
function transfer ownership to the newly deployedTOFT
contract with_transferOwnership
. This is done once and ownership of the vault is successfully transferred.