Inside `SpiceAuctionFactory::createAuction` function, use of `create` method is vulnerable to reorgs.
Summary
SpiceAuction contract creation is done through CREATE opcode which is vulnerable to reorgs, especially as the protocol aims to deploy on various EVM chains.(Mentioned in scope)
Vulnerability Details
The protocol aims to deploy on EVM compatible chains, including optimistic rollups (Optimism/Arbitrum) are notorious of having reorgs issues. Other chains like ethereum, polygon etc also have reorgs happen at one point in the past or another.
The creation of the SpiceAuction contract relies on ordinary CREATE opcode which is vulnerable to these kinds of attacks. The issue would happen when users rely on the address derivation in advance or try to deploy the position clone with the same address on different EVM chains or try to fund the contract the sent funds to the new contract could potentially be withdrawn by another user which could lead to the theft of user funds.
protocol/contracts/templegold/SpiceAuctionFactory.sol
Impact
If users rely on the address derivation in advance, any funds/tokens sent to it could potentially be withdrawn by anyone else leading to the theft of user funds.
Tools Used
Manual Review
Recommendations
Try the deployment using create2 with salt that includes real msg.sender.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.