Platform: Code4rena
Start Date: 13/11/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 120
Period: 4 days
Judge: 0xTheC0der
Id: 306
League: ETH
Rank: 88/120
Findings: 1
Award: $4.08
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: chaduke
Also found by: 0xpiken, Bauchibred, Matin, MohammedRizwan, MrPotatoMagic, OMEN, Pheonix, SandNallani, T1MOH, Topmark, ZanyBonzy, adriro, aslanbek, ayden, bareli, bart1e, bin2chen, btk, cheatc0d3, codynhat, critical-or-high, d3e4, erebus, firmanregar, hunter_w3b, jasonxiale, kaveyjoe, ksk2345, lsaudit, max10afternoon, merlinboii, nailkhalimov, osmanozdemir1, peanuts, pep7siup, pontifex, sbaudh6, shenwilly, sl1, tourist, wisdomn_, young, zhaojie
4.0797 USDC - $4.08
The create function makes a new asD token using the create, where the address derivation depends only on the asDFactory nonce. At the time of creation, a block reorg may be happenning. They're not uncommon EVM chains including Canto where this project will be deployed. A malicious user can use this to his advantage to steal funds from the initial creator.
Previous reports also contain more information on the issue. Frankencoin, Rabbithole, PoolTogether
Alice creates an asD contract through the create function. Bob sees that the block reorg is happening and calls the same function with different parameters. Thus, it creates the asD contract with an address that Alice is supposed to have. Subsequently, any transactions conducted on Alice's asD contaract (e.g minting, burning, etc.) will be executed on the asD contract with Bobs provided parameters.
function create(string memory _name, string memory _symbol) external returns (address) { asD createdToken = new asD(_name, _symbol, msg.sender, cNote, owner()); //@note isAsD[address(createdToken)] = true; emit CreatedToken(address(createdToken), _symbol, _name, msg.sender); return address(createdToken); }
Manual code review
Use create2 instead of create, with salt that depends on msg.sender.
Other
#0 - c4-pre-sort
2023-11-20T07:48:29Z
minhquanym marked the issue as duplicate of #313
#1 - c4-judge
2023-11-29T00:16:48Z
MarioPoneder changed the severity to QA (Quality Assurance)
#2 - c4-judge
2023-11-29T22:30:58Z
MarioPoneder marked the issue as grade-c
#3 - ZanyBonzy
2023-12-03T09:26:22Z
Hi, I believe this to have been misjudged.
This is something that does happen and causes loss of funds to the user, which we agree is a high risk situation. But it occurs not very often which brings the severity down to a medium.
But we do agree that this happens, I still don't think it's worth taking the risk, just because it happens rarely, attackers certainly don't care about these things.
Also, Issues of these type have always been historically judged as medium. Maïa Dao, RabbitHole, Pool together, Kairos Loan, etc as recent as 1/2 months ago. So, I don't quite follow why this shouldn't also be. I mean, a bit of consistency in judgement, please?
Thanks for your time.
#4 - c4-judge
2023-12-04T12:06:36Z
MarioPoneder marked the issue as grade-b