Closed sherlock-admin2 closed 2 months ago
1 comment(s) were left on this issue during the judging contest.
infect3d commented:
re-org are invalid by sherlock rules unless specified by sponsor as valid
Invalid per sherlock rules:
Chain re-org and network liveness related issues are not considered valid.
aman
high
Reorgs attack issue while deploying using create , will result in fund lost for Requester contract
Summary
The Requester contract is used to request RNG from
witnet
protocol, However The Requester contract is deployed using create op-code which is vulnerable to re orgs attacks and also hold the fee amount left.Vulnerability Detail
When user request for new RNG the Protocol checks that if the user has requester deployed if not then the protocol deployed requester contract using create op-code after this deployment the newly created requester contract is used to request new RNG from
witnet
andwitnet
return the left amount to the newly deployed request contract has it sends the request towitnet
contract.The request Function call :
92:
it will submit request to witnet via newly created requester. The amount left will be sent back to new Requester. Note that for new Requester the deployment and submission of request happen in same block. Re-orgs is a known issue in Ethereum and other EVM compatible protocols and one depth re-orgs is pretty common. Alice Tries to request new RNG for the first time.requestRandomNumber
function to generate new RNG.witnet
.Witnet
add request to its state and return the remainingFunds
to new Request contract.funds
Impact
The user will lost the funds locked in
Requester
contract.Code Snippet
https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-rng-witnet/src/Requestor.sol#L36-L40 https://github.com/sherlock-audit/2024-05-pooltogether/blob/main/pt-v5-rng-witnet/src/RngWitnet.sol#L85-L95
Tool used
Manual Review
Recommendation
deployed the contract with
create2
op-code and use the user address as a salt. it is already done with thePrizeVault
contract.