TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Directly using `CREATE` to deploy SpiceAuction makes execution vulnerable to a re-org attack

inh3l

Links

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/SpiceAuctionFactory.sol#L42

Summary

SpiceAuctionFactory.sol uses the CREATE deploy a SpiceAuction.sol, since the new keyword is being used for the deployment, this method however leaves the approach susceptible to a re-org attack.

Vulnerability Details

The createAuction function in SpiceAuctionFactory.sol allows the admins to deploy a new SpiceAuction contract. This method uses the new keyword when deploying, which makes it susceptible to a re-org attack, which means an attacker can take control of the to-deploy contract while the chain is down/ or the re-org is going on, considering protocol is to be deployed on ethereum and any EVM, including optimistic ones so the chances of this occurring are higher than average.

function createAuction(address spiceToken, string memory name) external override onlyElevatedAccess returns (address) {

if (spiceToken == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }

if (spiceToken == templeGold) { revert CommonEventsAndErrors.InvalidParam(); }

SpiceAuction spiceAuction = new SpiceAuction(templeGold, spiceToken, daoExecutor, name);

bytes32 pairId = _getPairHash(spiceToken);

/// @dev not checking pair address exists to allow overwrite in case of a migration

deployedAuctions[pairId] = address(spiceAuction);

emit AuctionCreated(pairId, address(spiceAuction));

return address(spiceAuction);

}

For reference links for some previous reorgs that happened in the past:

Ethereum: https://decrypt.co/101390/ethereum-beacon-chain-blockchain-reorg

Polygon:

https://polygonscan.com/block/36757444/f?hash=0xf9aefee3ea0e4fc5f67aac48cb6e25912158ce9dca9ec6c99259d937433d6df8
https://protos.com/polygon-hit-by-157-block-reorg-despite-hard-fork-to-reduce-reorgs/ - February last year, 157 blocks depth

Optimistic rollups (Optimism/Arbitrum) are also vulnerable to reorgs since if someone finds a fraud the blocks will be reverted, even though the user receives a confirmation. These are the biggest events of reorgs that happened, here is a link for forked blocks, which means excluded blocks as a result of "Block Reorganizations" on Polygon: https://polygonscan.com/blocks_forked?p=1, where can be observed that at least two-digit block reorgs happen every month.

Impact

The deployment method of the SpiceAuction contract is unsafe considering a re-org attack would allow an attacker take over the contract, and potentally steal transferred funds from it. Any user that relies on the address derivation in advance, any funds/tokens sent to it could potentially be lost as the newly deployed SpiceAuction contract will be different from the address they had derived and had sent funds to .

Tools Used

Manual Review

Recommendations

Consider using create2 and a non-constant salt value when deploying.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.