TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Use of CREATE method is suspicious of reorg attack

MSaptarshi007

Summary

When a multisig wants to deploy a wants to create a linear or tranched airstream, they calls SpiceAuctionFactory::createAuction , however these functions use the CREATE method (can be seen in the provided github permalinks) .which is susceptible to reorg attacks.

Vulnerability Details

As mentioned in the report's title, reorgs can occur in all EVM chains and most likely on L2's like Arbitrum or Polygon, and as stated in the protocol's README TempleGold is compatible with "Any network which is EVM compatible", here are some reference links for some previous reorgs that happened in the past:

Ethereum: https://decrypt.co/101390/ethereum-beacon-chain-blockchain-reorg - 2 years ago

Polygon: https://polygonscan.com/block/36757444/f?hash=0xf9aefee3ea0e4fc5f67aac48cb6e25912158ce9dca9ec6c99259d937433d6df8 - 2 years ago, this is with 120 blocks depth which means 4 minutes of re-written tx's since the block rate is ~2 seconds https://protos.com/polygon-hit-by-157-block-reorg-despite-hard-fork-to-reduce-reorgs/ - February last year, 157 blocks depth

Optimistic rollups (Optimism/Arbitrum) are also suspect to reorgs since if someone finds a fraud the blocks will be reverted, even though the user receives a confirmation.

These are the biggest events of reorgs that happened, here is a link for forked blocks, which means excluded blocks as a result of "Block Reorganizations" on Polygon: https://polygonscan.com/blocks_forked?p=1, where can be observed that at least two-digit block reorgs happen every month.

In the createAuction of spiceAuctionFactory , there is a vulnerability due to block reorg, but since due to its limited accessability [as it is going to be deployed via a multisig] ,and since no funds are involved,there is no such attack benefits that a attacker could get into.

https://github.com/Cyfrin/2024-07-templegold/blob/6c3980a0486c01114d0ef1281df188b6c01991e6/protocol/contracts/templegold/SpiceAuctionFactory.sol#L42

Impact

Impact: Low -, Might just be a DOS only, since deployment is controlled by multisig

Likelyhood: Low- , as it requires an event of block reorganizations and as the creator of the stream has an option to not fund it immediately.

Overall: Low

Tools Used

Manual Review

Recommendations

Deploy the newly created Auction contract via CREATE2 with salt that inlcudes msg.sender.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.