search

sujithsomraaj / lifi-permit2proxy-reaudit

1 day review - 16/09
0 stars 0 forks source link

Frontrunning `callDiamondWithEIP2612Signature` leads to permanent loss of user funds #5

Open sujithsomraaj opened 1 month ago

sujithsomraaj commented 1 month ago

Context: Permit2Proxy.sol#L64

Description: The callDiamondWithEIP2612Signature function is susceptible to a frontrunning attack. Frontrunning occurs when an attacker observes a pending transaction in the transaction pool and attempts to execute their transaction with a higher gas price, effectively "frontrunning" the original transaction.

Here's the relevant code snippet:

function callDiamondWithEIP2612Signature(
    address tokenAddress,
    address owner,
    uint256 amount,
    uint256 deadline,
    uint8 v,
    bytes32 r,
    bytes32 s,
    address diamondAddress,
    bytes calldata diamondCalldata
) public payable {
    // ...
}

The callDiamondWithEIP2612Signature function allows users to bridge tokens through the LI.FI diamond contract using an EIP2612 gasless permit. However, the function parameters diamondAddress and diamondCalldata are not signed by the user and can be modified by an attacker.

An attacker can observe a pending transaction that calls callDiamondWithEIP2612Signature and extract the tokenAddress, owner, amount, deadline, v, r, and s parameters. The attacker can then create their transaction with the same parameters but modify the diamondAddress and diamondCalldata to execute a different action or transfer the tokens to a different address.

By submitting the attacker's transaction with a higher gas price, the attacker can potentially frontrun the original transaction and execute their malicious action before it is processed.

Recommendation: Consider accepting a signature from the owner approving the diamondAddress / diamondCallData.

LI.FI: Fixed in 0e3debb78abcdf9a9f934115338b611e16b039a0

Researcher: Verified.