The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Attacker can frontrun minting and vault deployments to deploy to the same address

zanybonzy

Summary

Vaults are created from the factory via CREATE1. An attacker can front-run deployVault to deploy at the same address, but with different configurations. Also, seeing that the protocol is to be deployed on multiple chains, the deployed chain can reorg, and a different vault might also be deployed at the same address causing that transactions will be made to the malicious vault insteadю

Vulnerability Details

  1. User1's sets out to deploy a vault at 0x1234, fires transaction to mint and create a new vault.

  2. User2 frontruns the vault deployment by deploying a malicious vault at 0x1234

  3. User1's transaction euros end up being deposited into User2's malicious vault

function mint() external returns (address vault, uint256 tokenId) {
tokenId = lastToken + 1;
_safeMint(msg.sender, tokenId);
lastToken = tokenId;
vault = ISmartVaultDeployer(smartVaultDeployer).deploy(address(this), msg.sender, euros); //@note
smartVaultIndex.addVaultAddress(tokenId, payable(vault));
IEUROs(euros).grantRole(IEUROs(euros).MINTER_ROLE(), vault);
IEUROs(euros).grantRole(IEUROs(euros).BURNER_ROLE(), vault);
emit VaultDeployed(vault, msg.sender, euros, tokenId);
}
function deploy(address _manager, address _owner, address _euros) external returns (address) { //@note
return address(new SmartVaultV3(NATIVE, _manager, _owner, _euros, priceCalculator));
}

Impact

Loss of funds as transactions will be made to the maliciosuly deployed vault.

Tools Used

Manual Code Review

Recommendations

Use CREATE2 with salt.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.