Platform: Code4rena
Start Date: 18/04/2024
Pot Size: $36,500 USDC
Total HM: 19
Participants: 183
Period: 7 days
Judge: Koolex
Id: 367
League: ETH
Rank: 179/183
Findings: 1
Award: $0.02
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
Also found by: 0x175, 0x486776, 0x77, 0xAkira, 0xAsen, 0xDemon, 0xabhay, 0xblack_bird, 0xlemon, 0xloscar01, 0xtankr, 3docSec, 4rdiii, Abdessamed, AlexCzm, Angry_Mustache_Man, BiasedMerc, Circolors, Cryptor, DMoore, DPS, DedOhWale, Dinesh11G, Dots, GalloDaSballo, Giorgio, Honour, Imp, Jorgect, Krace, KupiaSec, Mrxstrange, NentoR, Pechenite, PoeAudits, Ryonen, SBSecurity, Sabit, T1MOH, TheFabled, TheSavageTeddy, Tychai0s, VAD37, Vasquez, WildSniper, ZanyBonzy, adam-idarrha, alix40, asui, blutorque, btk, c0pp3rscr3w3r, caglankaan, carrotsmuggler, d_tony7470, dimulski, dinkras, djxploit, falconhoof, forgebyola, grearlake, imare, itsabinashb, josephdara, kartik_giri_47538, ke1caM, kennedy1030, koo, lionking927, ljj, niser93, pep7siup, poslednaya, ptsanev, sashik_eth, shaflow2, steadyman, turvy_fuzz, ubl4nk, valentin_s2304, web3km, xyz, y4y, zhaojohnson, zigtur
0.0234 USDC - $0.02
https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L119-L153
The contract VaultManagerV2.sol#L137 uses a withdrawal function that initially checks the deposit time block. This is because if a DNFT owner attempts to deposit and withdraw in the same block, the function will revert
This condition check creates vulnerability to a frontrunning attack. Since the deposit function only verifies if the caller is a valid DNFT owner but does not verify if the caller owns the specific ID (isDNftOwner), it becomes susceptible. For instance, if a DNFT owner triggers the withdraw function, simultaneously an attacker monitors the mempool for the victim's transaction. The attacker then deposits some amount to the victim's ID in the same block, executing a frontrunning attack. Consequently, the victim's withdrawal transaction is reverted due to the condition: if (idToBlockOfLastDeposit[id] == block.number) revert DepositedInSameBlock();
VaultManagerV2.sol function deposit( ... ) external isValidDNft(id) { idToBlockOfLastDeposit[id] = block.number; ... } function withdraw( ... ) public isDNftOwner(id) { if (idToBlockOfLastDeposit[id] == block.number) revert DepositedInSameBlock(); ... ... }
Vs code
Access Control
#0 - c4-pre-sort
2024-04-27T11:30:36Z
JustDravee marked the issue as duplicate of #1103
#1 - c4-pre-sort
2024-04-27T11:45:44Z
JustDravee marked the issue as duplicate of #489
#2 - c4-pre-sort
2024-04-29T09:29:24Z
JustDravee marked the issue as sufficient quality report
#3 - c4-judge
2024-05-05T20:38:12Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#4 - c4-judge
2024-05-05T21:00:52Z
koolexcrypto marked the issue as nullified
#5 - c4-judge
2024-05-05T21:00:59Z
koolexcrypto marked the issue as not nullified
#6 - c4-judge
2024-05-08T15:29:12Z
koolexcrypto marked the issue as duplicate of #1001
#7 - c4-judge
2024-05-11T19:50:58Z
koolexcrypto marked the issue as satisfactory
#8 - c4-judge
2024-05-13T18:34:30Z
koolexcrypto changed the severity to 3 (High Risk)