Platform: Code4rena
Start Date: 03/07/2023
Pot Size: $40,000 USDC
Total HM: 14
Participants: 74
Period: 7 days
Judge: alcueca
Total Solo HM: 9
Id: 259
League: ETH
Rank: 18/74
Findings: 2
Award: $169.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: tonisives
Also found by: Inspecktor, MohammedRizwan, Qeew, peanuts, sces60107
162.9427 USDC - $162.94
A malicious actor can used the same salt paramter to frontrun the creation of Well contract leading to DOS attacks.
https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Aquifer.sol#L42 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Aquifer.sol#L48
The Aquifier.boreWell function is responsible for creating a new well. If the salt != 0, it uses the LibClone.cloneDeterministic (CREATE2) function. In this case, the address of the new well depends on the _salt parameter provided by the user. Once the user's txn is broadcasted, the _salt parameter can be viewed by anyone watching the public mempool.
An attacker can frontrun the txn with the same salt which would create the exact address created by CREATE2 call as a result this would get the victim txn to revert.
Manual Review
It is recommended to combine salt with msg.sender
well = implementation.cloneDeterministic(immutableData, keccak256(abi.encode(msg.sender, _salt));
DoS
#0 - c4-pre-sort
2023-07-11T15:52:56Z
141345 marked the issue as duplicate of #217
#1 - c4-pre-sort
2023-07-12T16:03:09Z
141345 marked the issue as duplicate of #221
#2 - c4-pre-sort
2023-07-12T16:12:27Z
141345 marked the issue as duplicate of #181
#3 - 141345
2023-07-12T16:17:41Z
this one does not point out a clear path of losing maybe partial
#4 - c4-judge
2023-08-04T05:57:47Z
alcueca marked the issue as satisfactory
🌟 Selected for report: 0xprinc
Also found by: 0x11singh99, 0xAnah, 0xWaitress, 0xkazim, 2997ms, 33audits, 404Notfound, 8olidity, CRIMSON-RAT-REACH, CyberPunks, DanielWang888, Deekshith99, Eeyore, Eurovickk, Inspecktor, JGcarv, John, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Qeew, QiuhaoLi, Rolezn, TheSavageTeddy, Topmark, Trust, Udsen, a3yip6, alexzoid, bigtone, codegpt, erebus, fatherOfBlocks, ginlee, glcanvas, hunter_w3b, josephdara, kaveyjoe, kutugu, mahdirostami, max10afternoon, oakcobalt, peanuts, pfapostol, ptsanev, qpzm, radev_sw, ravikiranweb3, sces60107, seth_lawson, te_aut, twcctop, zhaojie, ziyou-
6.0655 USDC - $6.07
Draft OpenZeppelin Dependency
The Well contract uses draftERC20PermitUpgradeable.sol, an OpenZeppelin contract. The contract which appear as a draft is not considered ready for mainnet use.
OpenZeppelin contracts may be considered draft contracts if they have not received adequate security auditing or are liable to change with future development.
#0 - c4-pre-sort
2023-07-13T14:41:11Z
141345 marked the issue as low quality report
#1 - c4-judge
2023-08-04T21:33:41Z
alcueca marked the issue as grade-b