Back to 0xleadwizard's contests

Taiko - 0xleadwizard's results

A based rollup -- inspired, secured, and sequenced by Ethereum.

General Information

Platform: Code4rena

Start Date: 04/03/2024

Pot Size: $140,000 USDC

Total HM: 19

Participants: 69

Period: 21 days

Judge: 0xean

Total Solo HM: 4

Id: 343

League: ETH

Taiko

Findings Distribution

Researcher Performance

Rank: 16/69

Findings: 1

Award: $1,503.18

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTaiko

Findings Information

🌟 Selected for report: lightoasis

Also found by: 0xleadwizard, Tendency, alexfilippov314, ladboy233, wangxx2026

Labels

bug
3 (High Risk)
satisfactory
:robot:_60_group
duplicate-60

Awards

1503.1753 USDC - $1,503.18

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-taiko/blob/main/packages/protocol/contracts/team/TimelockTokenPool.sol#L168-L172

Vulnerability details

Impact

A signature replay attack is possible, which leads to the withdrawal of user funds.

Proof of Concept

function withdraw(address _to, bytes memory _sig) external {
        if (_to == address(0)) revert INVALID_PARAM();
        bytes32 hash = keccak256(abi.encodePacked("Withdraw unlocked Taiko token to: ", _to));
        address recipient = ECDSA.recover(hash, _sig);
        _withdraw(recipient, _to);
    }

No nonce is used in the hash

Flow of the attack:

  1. Grant is approved to A
  2. A allows B to withdraw by signing the hash
  3. B withdraws on behalf of A
  4. A gets a New grant approved
  5. B uses the same previous sig, to withdraw all A funds again!

A nonce should be used while constructing hash.

Assessed type

Invalid Validation

#0 - c4-pre-sort

2024-03-28T18:50:46Z

minhquanym marked the issue as duplicate of #60

#1 - c4-judge

2024-04-10T11:21:09Z

0xean marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter