Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 54/111
Findings: 1
Award: $165.94
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: gzeon
Also found by: 0xMirce, Breeje, Inspecktor, ptsanev
165.9409 USDC - $165.94
Exploits involving Stealing of funds.
The deployVault function deploys a new vault contract using the create, where the address derivation depends only on the arguments passed.
At the same time, some of the chains (Polygon, Optimism, Arbitrum) to which the VaultFactory will be deployed are suspicious of the reorg attack.
File: VaultFactory.sol 67: Vault _vault = new Vault(
Even more, the reorg can be couple of minutes long. So, it is quite enough to create the position and transfer funds to that address, especially when someone uses a script, and not doing it by hand.
Optimistic rollups (Optimism/Arbitrum) are also suspect to reorgs since if someone finds a fraud the blocks will be reverted, even though the user receives a confirmation and already created a position.
If Alice creates a new vault, and then sends funds to it. Bob sees that the network block reorg happens and calls deployVault. Thus, it creates vault with an address to which Alice sends funds. Then Alices' transactions are executed and Alice transfers funds to Bob's controlled vault.
VS Code
Deploy the Vault contract via create2 with salt.
Other
#0 - c4-judge
2023-07-16T22:27:54Z
Picodes marked the issue as duplicate of #416
#1 - c4-judge
2023-08-06T22:36:05Z
Picodes marked the issue as satisfactory