nfmelendez - Front-running griefing attack on PerAddressContinuousVestingMerkleDistributorFactory and PerAddressTrancheVestingMerkleDistributorFactory #17
Front-running griefing attack on PerAddressContinuousVestingMerkleDistributorFactory and PerAddressTrancheVestingMerkleDistributorFactory
Summary
The deployDistributor method in PerAddressContinuousVestingMerkleDistributorFactory and PerAddressTrancheVestingMerkleDistributorFactory calls Clones.cloneDeterministic (that uses CREATE2 opcode) with a generated salt to create a deterministic address but an attacker can frontrun the call with same arguments, generate a contract in the same address and always the user transaction will revert.
Vulnerability Detail
Since the salt is not created with the msg.sender any attacker can front-run the user when calling deployDistributor with same parameters and user transaction will revert
Add the msg.sender when creating the salt in both contracts: PerAddressContinuousVestingMerkleDistributorFactory and PerAddressTrancheVestingMerkleDistributorFactory
nfmelendez
medium
Front-running griefing attack on PerAddressContinuousVestingMerkleDistributorFactory and PerAddressTrancheVestingMerkleDistributorFactory
Summary
The
deployDistributor
method in PerAddressContinuousVestingMerkleDistributorFactory and PerAddressTrancheVestingMerkleDistributorFactory callsClones.cloneDeterministic
(that uses CREATE2 opcode) with a generated salt to create a deterministic address but an attacker can frontrun the call with same arguments, generate a contract in the same address and always the user transaction will revert.Vulnerability Detail
Since the salt is not created with the
msg.sender
any attacker can front-run the user when callingdeployDistributor
with same parameters and user transaction will revertImpact
All User transaction will fail.
Code Snippet
https://github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update/blob/main/contracts/packages/hardhat/contracts/claim/factory/PerAddressTrancheVestingMerkleDistributorFactory.sol#L59-L61
https://github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update/blob/main/contracts/packages/hardhat/contracts/claim/factory/PerAddressContinuousVestingMerkleDistributorFactory.sol#L59-L61
https://github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update/blob/main/contracts/packages/hardhat/contracts/claim/factory/PerAddressTrancheVestingMerkleDistributorFactory.sol#L20-L38
Tool used
Recommendation
Add the
msg.sender
when creating the salt in both contracts: PerAddressContinuousVestingMerkleDistributorFactory and PerAddressTrancheVestingMerkleDistributorFactory