DeFiHardhatOracleProxyUpdates
100,000 USDC
View results
Submission Details
Severity: low
Invalid

[H-01] Potential Reentrancy Vulnerability in Depot Contract's farm Function

Summary

The farm function in the provided Depot contract allows users to execute multiple function calls within a single transaction. However, it utilizes the delegatecall instruction without proper reentrancy protection, potentially leading to a reentrancy vulnerability.

Impact

A malicious actor could exploit this vulnerability to execute a reentrant attack, allowing them to call the farm function and perform malicious actions within one of the function calls before the initial transaction completes. This could lead to various detrimental outcomes, including:

  • Stealing funds: The attacker could call a function within the data array that transfers funds from the user's account to a malicious address.

  • Manipulating state: The attacker could call a function that modifies the contract's state in a way that benefits them, such as manipulating token balances or manipulating voting rights.

  • Denial-of-service (DoS): The attacker could create an infinite loop within one of the function calls, preventing the initial transaction from completing and potentially locking up the contract.

Proof of Concept (PoC)

Here's a simplified example of how a reentrancy attack could be potentially exploited:

  1. Attacker initiates the farm function: The attacker provides an array of function calls (data) containing two elements.

  2. First function call: The first function call is a legitimate function that does not affect the attacker's balance or the contract's state.

  3. Malicious function call: The second function call is a malicious function designed to steal funds from the user. This function could, for example, call the transferToken function to transfer the user's balance to a controlled address.

  4. Reentrancy: Before the initial transaction completes (including the call to the malicious function), the attacker exploits a vulnerability in the called function (outside of the Depot contract) to re-enter the farm function.

  5. Second execution of the malicious function: Since the initial transaction hasn't been completed, the contract state hasn't been updated, and the attacker's balance remains the same. The malicious function is executed again, potentially stealing the user's funds a second time.

function testExploit() public {
// Record the attacker's balance before the exploit
uint256 attackerBalanceBefore = attacker.balance;
// Prepare the attack call data
bytes memory exploitData = abi.encodeWithSelector(
AttackerContract.attack.selector
);
// Create an array of bytes to simulate batch calls
bytes[] memory data = new bytes[](2);
data[0] = exploitData;
data[1] = exploitData;
// Simulate the attack
vm.prank(attacker);
depot.farm(data);
// Record the attacker's balance after the exploit
uint256 attackerBalanceAfter = attacker.balance;
// Assert that the attacker's balance has increased as a result of the exploit
assert(attackerBalanceAfter > attackerBalanceBefore);
}

Recommendations

There are several ways to mitigate this vulnerability:

  1. Use a secure alternative to delegatecall: Instead of using delegatecall, consider using a safer alternative like call or staticcall. These options prevent the called function from modifying the caller's state, eliminating the reentrancy risk.

  2. Implement reentrancy protection: If delegatecall is necessary, implement reentrancy protection mechanisms like checks and locks to ensure state updates only occur once per transaction.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
Assigned finding tags:

Re-entrancy

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.