Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

A malicious user can steal contest owner tokens

vladzaev

Summary

A malicious user can frontrun the proxy contract creation to get assets from the owner.

Vulnerability Details

A user can calculate a future Proxy address with the next function:

function getProxyAddress(bytes32 salt, address implementation) public view returns (address proxy) {
bytes memory code = abi.encodePacked(type(Proxy).creationCode, uint256(uint160(implementation)));
bytes32 hash = keccak256(abi.encodePacked(bytes1(0xff), address(this), salt, keccak256(code)));
proxy = address(uint160(uint256(hash)));
}

Also it quite easy to find out the salt that is based on a organizer address, contestId and implementation contract address.

function _calculateSalt(address organizer, bytes32 contestId, address implementation)
internal
pure
returns (bytes32)
{
return keccak256(abi.encode(organizer, contestId, implementation));
}

So a malicious user can watch for new setContest() users were set, calculate a future Proxy address of the target and wait till the contest owner will send tokens to it.

Contest owner has to send tokens to the Proxy contract in advance, as it is requires by the protocol rules.

Right after it a malicious user can deploy a calculated Proxy contract with a malicious implementation contract address and steal all tokens.

Impact

Hacker can steal contest owner tokens.

Tools Used

Manual review

Recommendations

Provide a check if Proxy contract was already deployed and if so, recalculate the address.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.