Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

VAD37 - DOS _mintShare() using Openzeppelin ERC1155 _mint callback #395

Closed
sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Closed

VAD37 - DOS _mintShare() using Openzeppelin ERC1155 _mint callback #395

sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 27, 2023
edited by github-actions bot
Loading

VAD37

high

DOS _mintShare() using Openzeppelin ERC1155 _mint callback

Summary

The ERC1155 function _mint() implemented by Openzeppelin have _doSafeTransferAcceptanceCheck() callback after minting new token.

Carousel.sol allow mint vault share or ERC1155 token at later date by Relayer user/contract.
Relayer execute all deposit/mint one by one in a queue. If any queue failed, relayer cannot skip it.
There are many user input check to prevent this but not for internal _mintShare() function.

Vulnerability Detail

  • Call deposit() with any contract address as receiver address.
  • Anyone can set _mintShare() receiver address to any contract that not implementing onERC1155Received callback function.
  • _mintShare() use internal _mint() function from Openzeppelin ERC1155 contract.
  • ERC1155 have _doSafeTransferAcceptanceCheck() callback to receiver address after minting new token.
  • Both function mintDepositInQueue(), mintRollovers() use by relayer will be reverted due to _doSafeTransferAcceptanceCheck() callback revert.
  • This block all queue from being used as relayer cannot skip failed queue.

Impact

High. Permanently lock all user funds in depositQueue or auto rollover feature. There is no withdrawal method for user in epoch 0 or "queue epoch".

Code Snippet

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/ca822213f2275a14c26167bd387ac3522da67fe9/contracts/token/ERC1155/ERC1155.sol#L456-L464

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L531-L538

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L334

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L437

Tool used

Manual Review

Recommendation

Dirty fix try-catch and throw error into failed queueItem array. Include new withdrawal for failed queue.

Duplicate of #468
@github-actions github-actions bot closed this as completed Apr 3, 2023
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Apr 3, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin