Platform: Code4rena
Start Date: 01/04/2024
Pot Size: $120,000 USDC
Total HM: 11
Participants: 55
Period: 21 days
Judge: Picodes
Total Solo HM: 6
Id: 354
League: ETH
Rank: 21/55
Findings: 1
Award: $212.89
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: DadeKuma
Also found by: 0xStalin, 0xhacksmithh, 99Crits, Aymen0909, Bauchibred, CodeWasp, Dup1337, IllIllI, John_Femi, K42, KupiaSec, Naresh, Rhaydden, Rolezn, Sathish9098, Topmark, ZanyBonzy, albahaca, bareli, blockchainbuttonmasher, cheatc0d3, codeslide, crc32, d3e4, favelanky, grearlake, hihen, jasonxiale, jesjupyter, lanrebayode77, lirezArAzAvi, lsaudit, mining_mario, oualidpro, pfapostol, radin100, rbserver, sammy, satoshispeedrunner, slvDev, twcctop, zabihullahazadzoi
212.8863 USDC - $212.89
Collateral trackers are cloned non-deterministically. In case of a reorg this can cause users to deposit different amounts of funds into trackers than they intended to and leaving them with a lower liquidation point than planned.
The PanopticFactory.deployNewPool function creates new pools and contracts like this:
newPoolContract = PanopticPool(POOL_REFERENCE.cloneDeterministic(salt)); CollateralTracker collateralTracker0 = CollateralTracker( Clones.clone(COLLATERAL_REFERENCE) ); CollateralTracker collateralTracker1 = CollateralTracker( Clones.clone(COLLATERAL_REFERENCE) );
While the pool address is deterministic, the collateral tracker addresses are not. A scenario where this can cause issues:
Block 1: 2 panoptic pools for 2 different uniswap pools are deployed
0x123
0x10x20x456
0x30x4Block 2: a user operates a bot that automatically deposits funds and sells options if deemed potentially lucrative
Now imagine a reorg happens and the new Block 1 will have swapped the deployment transactions:
0x456
0x1 (previously 0x3)0x2 (previously 0x4)0x123
0x3 (previously 0x1)0x4 (previously 0x2)Since the transactions of the user bot have already been submitted they will still be processed with their original tx data. In a good case, they will just revert, but it can also happen that they pass and the user will have deposited collateral and sold options, except now the collateral deposits have been reversed and the user may end up with a lower liquidation point for a more volatile pool.
Manual review
Also use cloneDeterministic for the CollateralTrackers (can use the same salt as used for the PanopticPool)
Other
#0 - Picodes
2024-04-25T16:29:41Z
At first sight, this is a very very extreme scenario. You need the same underlying tokens, correct approvals, etc
#1 - c4-judge
2024-04-25T16:29:45Z
Picodes marked the issue as primary issue
#2 - dyedm1
2024-04-26T19:33:43Z
Technically possible, but extremely unlikely (especially if a deliberate attempt was made to create a malicious pool, which is the only way this could cause any real issues). Not sure if warrants medium severity given the very low probability.
#3 - Picodes
2024-04-29T21:30:40Z
I don't think the described scenario is worth Medium severity. It would require a gigantic amount of bad luck. However, it's possible that following this reorg idea and the sponsor's suggestion we could find a Medium severity scenario, for example, if an attacker was spamming deployments on malicious pools hoping at some point a collateral deposit would happen on their malicious pools due to a reorg.
#4 - c4-judge
2024-04-29T21:31:04Z
Picodes changed the severity to QA (Quality Assurance)
#5 - c4-judge
2024-04-29T21:31:24Z
Picodes marked the issue as grade-a