CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: high

Salt could be overwritten in `EscrowFactory.sol`

yakuzakiawe

Summary

The newEscrow() function in the EscrowFactory contract does not check to see if the salt value is unique. This means that it is possible to overwrite an existing escrow contract by deploying a new escrow contract with the same salt value.

Vulnerability Details

The newEscrow() function in the EscrowFactory contract is vulnerable to the following attack:

Deploy an escrow contract with a random salt value.
Get the address of the escrow contract.
Store the address of the escrow contract.
Deploy a new escrow contract with the same salt value as the first escrow contract.
The new escrow contract will overwrite the first escrow contract.

There are some peculiarities in relation to salted creation. A contract can be re-created at the same address after having been destroyed. Yet, it is possible for that newly created contract to have a different deployed bytecode even though the creation bytecode has been the same (which is a requirement because otherwise the address would change). This is due to the fact that the constructor can query external state that might have changed between the two creations and incorporate that into the deployed bytecode before it is stored.

Impact

If an attacker is able to overwrite an escrow contract, they could steal the funds that are held in the escrow contract.

Tools Used

Manual code review

Recommendations

To fix the bug, the following changes should be made to the EscrowFactory contract:

The newEscrow() function should be updated to check to see if the salt value is unique.
The EscrowFactory contract should keep a registry of deployed escrow contracts.
The EscrowFactory contract should add a withdrawal pattern to refund remaining tokens if an escrow contract is overwritten.

Mitigation

The following mitigation measures can be taken to reduce the risk of this bug being exploited:

Use a random salt value that is generated by a secure random number generator.
Store the salt value in a secure location.
Monitor the EscrowFactory contract for signs of malicious activity.

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.