Platform: Code4rena
Start Date: 18/04/2024
Pot Size: $36,500 USDC
Total HM: 19
Participants: 183
Period: 7 days
Judge: Koolex
Id: 367
League: ETH
Rank: 163/183
Findings: 1
Award: $0.02
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
Also found by: 0x175, 0x486776, 0x77, 0xAkira, 0xAsen, 0xDemon, 0xabhay, 0xblack_bird, 0xlemon, 0xloscar01, 0xtankr, 3docSec, 4rdiii, Abdessamed, AlexCzm, Angry_Mustache_Man, BiasedMerc, Circolors, Cryptor, DMoore, DPS, DedOhWale, Dinesh11G, Dots, GalloDaSballo, Giorgio, Honour, Imp, Jorgect, Krace, KupiaSec, Mrxstrange, NentoR, Pechenite, PoeAudits, Ryonen, SBSecurity, Sabit, T1MOH, TheFabled, TheSavageTeddy, Tychai0s, VAD37, Vasquez, WildSniper, ZanyBonzy, adam-idarrha, alix40, asui, blutorque, btk, c0pp3rscr3w3r, caglankaan, carrotsmuggler, d_tony7470, dimulski, dinkras, djxploit, falconhoof, forgebyola, grearlake, imare, itsabinashb, josephdara, kartik_giri_47538, ke1caM, kennedy1030, koo, lionking927, ljj, niser93, pep7siup, poslednaya, ptsanev, sashik_eth, shaflow2, steadyman, turvy_fuzz, ubl4nk, valentin_s2304, web3km, xyz, y4y, zhaojohnson, zigtur
0.0234 USDC - $0.02
The calls to withdraw function can be dos by anyone using deposit function with 0 token transfers, which leads to stuck assets for those who want to withdraw.
Since the VaultManagerV2 contract uses idToBlockOfLastDeposit[id] = block.number; in deposit and withdraw function to prevent depositing and withdrawing at the same time(block). And the assets(eg. weth, wstETH) are ERC20 tokens which doesn't revert on 0 token transfers, an attacker who monitors the mempool can revert all withdraw transaction by frontrunning and calling the deposit function in the same block with 0 as amount.
When the attacker sees the withdraw transaction he can frontrun it by calling deposit which will update the idToBlockOfLastDeposit to the current block.number and when the withdrawer's transaction gets executed the check if (idToBlockOfLastDeposit[id] == block.number) revert DepositedInSameBlock(); will revert his withdrawal because the idToBlockOfLastDeposit is the current block. The attacker can repeat this everytime the targeted user tries to withdraw and spend only gas fees and 0 assets for this attack while the user is impossible to withdraw his assets.
manual
In the deposit function use isDNftOwner(id) modifier instead of isValidDNft(id) so that no one but the owner can deposit which will prevent the attack.
Or in both the functions change block.number to block.timestamp which will have a very rare/impossible case of two transactions to have the same timestamp rather than block.number which can be the same for two different transactions.
- idToBlockOfLastDeposit[id] = block.number; + idToBlockOfLastDeposit[id] = block.timestamp;
Or set a minimum amount that must be deposited when deposit is called.
DoS
#0 - c4-pre-sort
2024-04-27T11:48:30Z
JustDravee marked the issue as duplicate of #489
#1 - c4-pre-sort
2024-04-29T09:28:40Z
JustDravee marked the issue as sufficient quality report
#2 - c4-judge
2024-05-05T20:38:14Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#3 - c4-judge
2024-05-05T20:39:23Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#4 - c4-judge
2024-05-05T21:21:52Z
koolexcrypto marked the issue as nullified
#5 - c4-judge
2024-05-05T21:21:58Z
koolexcrypto marked the issue as not nullified
#6 - c4-judge
2024-05-08T15:28:11Z
koolexcrypto marked the issue as duplicate of #1001
#7 - c4-judge
2024-05-11T19:50:28Z
koolexcrypto marked the issue as satisfactory
#8 - c4-judge
2024-05-13T18:34:30Z
koolexcrypto changed the severity to 3 (High Risk)