CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Attacker can make creation of newescrow fail

avci

Summary

Attacker can make escrow creation of users fail by frunt-running the buyer who is trying to create newEscrow.

Vulnerability Details

in the EscrowFactory.sol contract the newEscrow function need to generate addresses in address computedAddress = computeEscrowAddress( part which is using computeEscrowAddress and because this computeEscrowAddress function using CREAT2 method to generate addresses attacker can easily grief the users and block them from creating newExcrow and make protocol useless and broken

attacker can frontrun the creation TX with their own creation
request, with the same parameters. This would create the exact address created by the
CREATE2 call, since the parameters and therefore the final salt will be the same. When the
victim's transaction would be executed, the computed address is non-empty so the EVM would reject
its creation.

Impact

the users will not be able to create newEscrow anymore because of bad actors. and bad actors can even set bot and make contract unusable forever.

https://github.com/Cyfrin/2023-07-escrow/blob/65a60eb0773803fa0be4ba72defaec7d8567bccc/src/EscrowFactory.sol#L77

function computeEscrowAddress(

bytes memory byteCode,

address deployer,

uint256 salt,

uint256 price,

IERC20 tokenContract,

address buyer,

address seller,

address arbiter,

uint256 arbiterFee

) public pure returns (address) {

address predictedAddress = address(

uint160(

uint256(

keccak256(

abi.encodePacked(

bytes1(0xff),

deployer,

salt,

keccak256(

abi.encodePacked(

byteCode, abi.encode(price, tokenContract, buyer, seller, arbiter, arbiterFee)

)

);

return predictedAddress;

Tools Used

manually vs code

Recommendations

The best implementation for this issue is using an ever-increasing nonce counter to guarantee unique contract addresses.

like this

byteCode, abi.encode(price, tokenContract, buyer, seller, arbiter, arbiterFee, nonce)

nonce++

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.