VaultFactory is suspicious of the reorg attack
#238
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-416
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
2 (Med Risk)
|
Picodes marked the issue as duplicate of #416 |
c4-judge
added
the
satisfactory
|
Picodes marked the issue as satisfactory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/VaultFactory.sol#L67
Vulnerability details
Impact
Exploits involving Stealing of funds.
Proof of Concept
The
deployVaultfunction deploys a new vault contract using the create, where the address derivation depends only on the arguments passed.At the same time, some of the chains (Polygon, Optimism, Arbitrum) to which the
VaultFactorywill be deployed are suspicious of the reorg attack.Link to Code
Even more, the reorg can be couple of minutes long. So, it is quite enough to create the position and transfer funds to that address, especially when someone uses a script, and not doing it by hand.
Optimistic rollups (Optimism/Arbitrum) are also suspect to reorgs since if someone finds a fraud the blocks will be reverted, even though the user receives a confirmation and already created a position.
If Alice creates a new vault, and then sends funds to it. Bob sees that the network block reorg happens and calls
deployVault. Thus, it creates vault with an address to which Alice sends funds. Then Alices' transactions are executed and Alice transfers funds to Bob's controlled vault.Tools Used
VS Code
Recommended Mitigation Steps
Deploy the Vault contract via
create2withsalt.Assessed type
Other
The text was updated successfully, but these errors were encountered: