CodeHawks Escrow Contract - Competition Details
Cyfrin
Foundry
40,000 USDC
View results
Previous Next
Submission Details
Severity: medium

EscrowFactory.sol could be exploited to deploy malicious Escrow contracts

yakuzakiawe

Summary

The computeEscrowAddress() function in the EscrowFactory contract does not check to see if the bytecode is actually the bytecode of a valid escrow contract. This means that an attacker could deploy a malicious escrow contract by passing in malicious bytecode to the computeEscrowAddress() function.

Vulnerability Details

The computeEscrowAddress() function in the EscrowFactory contract is vulnerable to the following attack:

  1. Deploy the EscrowFactory contract.

  2. Obtain the address of the EscrowFactory contract.

  3. Create malicious bytecode for an escrow contract.

  4. Call the computeEscrowAddress() function with the malicious bytecode.

  5. The computeEscrowAddress() function will return the address of the malicious escrow contract.

function computeEscrowAddress(
bytes memory byteCode,
address deployer,
uint256 salt,
uint256 price,
IERC20 tokenContract,
address buyer,
address seller,
address arbiter,
uint256 arbiterFee
) public pure returns (address) {
address predictedAddress = address(
uint160(
uint256(
keccak256(
abi.encodePacked(
bytes1(0xff),
deployer,
salt,
keccak256(
abi.encodePacked(
byteCode,
abi.encode(
price,
tokenContract,
buyer,
seller,
arbiter,
arbiterFee
)
)
)
)
)
)
)
);
return predictedAddress;
}

Impact

If an attacker is able to deploy a malicious escrow contract, they could steal the funds that are held in the escrow contract.

Tools Used

Manual code review

Recommendations

The computeEscrowAddress() function should be updated to check to see if the bytecode is actually the bytecode of a valid escrow contract.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.