Front-running Vulnerability in PToken Deployment Due to Predictable Deterministic Addressing
Summary
The PointTokenVault contract's deployPToken function uses CREATE2 with a predictable salt (pointsId), allowing front-running attacks. An attacker can observe the mempool for pending deployment transactions, predict the PToken address, and deploy a malicious contract to that address before the legitimate deployment occurs.
Vulnerability Detail
The vulnerability exists in the deployPToken function of the PointTokenVault contract.
The issue arises from:
The public visibility of the function, allowing anyone to call it.
The use of _pointsId as the salt for CREATE2, which is predictable if an attacker can observe the admin's transactions in the mempool.
The lack of additional randomness or access control in the deployment process.
The _pointsId is created using the LibString.packTwo function. An attacker can observe a pending transaction in the mempool that includes the _pointsId, predict the address where the PToken will be deployed, and front-run the transaction to deploy a malicious contract at that address.
Impact
Deployment of malicious PToken contracts that mimic legitimate ones but contain hidden malicious functionality.
This vulnerability could lead to financial losses, compromise the integrity of the point tokenization system, and potentially cause reputational damage to the protocol.
dimi6oni
Medium
Front-running Vulnerability in PToken Deployment Due to Predictable Deterministic Addressing
Summary
The
PointTokenVaultcontract'sdeployPTokenfunction usesCREATE2with a predictable salt (pointsId), allowing front-running attacks. An attacker can observe the mempool for pending deployment transactions, predict the PToken address, and deploy a malicious contract to that address before the legitimate deployment occurs.Vulnerability Detail
The vulnerability exists in the
deployPTokenfunction of thePointTokenVaultcontract.The issue arises from:
_pointsIdas the salt forCREATE2, which is predictable if an attacker can observe the admin's transactions in the mempool.The
_pointsIdis created using theLibString.packTwofunction. An attacker can observe a pending transaction in the mempool that includes the_pointsId, predict the address where the PToken will be deployed, and front-run the transaction to deploy a malicious contract at that address.Impact
Code Snippet
https://github.com/sherlock-audit/2024-07-sense-points-marketplace/blob/076bf833f4dc1418e93c8172e4a4110344f1c812/point-tokenization-vault/contracts/PointTokenVault.sol#L256-L268
Tool used
Manual Review
Recommendation