CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: low

salt front-run mitigation

owl

Summary

Current implementation allows newEscrow deployer to arbitrarly set salt, which is a known vulnerbility

Vulnerability Details

arbitrary salt exposes newEscrow deployment proccess to front-run attacks, where malicous user can bid more gas to deploy the same contract before the actual user, potentially taking control of the escrow contract as well as the tokens

Tools Used

manual review

Recommendations

Using a random salt for each escrow could prove very beneficial here, utilizing block.prevrandaoto generate a completely random new salt for each new escrow
more precisely bytes32(uint256(keccak256(abi.encodePacked(block.prevrandao))))
which would leave the salt completely out of any user's calldata as well remedy the potential vulnerability

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.