Platform: Code4rena
Start Date: 07/04/2023
Pot Size: $47,000 USDC
Total HM: 20
Participants: 120
Period: 6 days
Judge: GalloDaSballo
Total Solo HM: 4
Id: 230
League: ETH
Rank: 102/120
Findings: 1
Award: $10.86
π Selected for report: 0
π Solo Findings: 0
π Selected for report: AkshaySrivastav
Also found by: 0xTheC0der, Dug, GT_Blockchain, Haipls, adriro, bin2chen, carlitox477, dingo2077, fs0c, hasmama, hihen, holyhansss_kr, juancito, ladboy233, philogy, saian, said, sashik_eth, yixxas, zion
10.8554 USDC - $10.86
https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/Factory.sol#L71-L125 https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/Factory.sol#L92
users wonβt not able to create a private pool
The Factory::create() function is always exposed to the frontrunning risk. The create() function receives _salt as a parameter when creating a private pool. And since _salt is used in create2, the address is determined by _salt.
If a malicious user continues to front-run users to create a private pool with the same salt, they will not be able to create a private pool.
In addition, this vulnerability has a risk of reorg attack. you can check out this report for the reorg attack. This report is well explaining the reorg attack
Chain reorg enables creation of a pool with the same address - sashik_eth.
The reason the above attacks are possible is that the malicious user can make a pool without having an nft. Bypass can be easily done by setting tokenIds.length to 0.
vs code
Do not accept salt from the user and change the salt parameter like the below code
bytes32 salt = keccak256(abi.encodePacked(msg.sender, _baseToken, _nft)); privatePool = PrivatePool(payable(privatePoolImplementation.cloneDeterministic(salt)));
#0 - c4-pre-sort
2023-04-20T17:18:49Z
0xSorryNotSorry marked the issue as duplicate of #419
#1 - c4-judge
2023-05-01T07:22:55Z
GalloDaSballo marked the issue as satisfactory