Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

`CREATE2` address collision when create `auctionAddress` address

745fe9f9c2

Summary

The factory function createAccount() creates a new account contract for the user using CREATE2.finding an address collision against an undeployed account is possible.

Vulnerability Details

(NOTE: This report is very highly inspired from this past valid report.)

Note that in createAccount, CREATE2 salt, fjordPoints, auctionToken, biddingTime and totalTokens is user-supplied

allow a user-supplied will make this attack possible .

function createAuction(
address auctionToken,
uint256 biddingTime,
uint256 totalTokens,
bytes32 salt
) external onlyOwner {
address auctionAddress = address(
new FjordAuction{ salt: salt }(fjordPoints, auctionToken, biddingTime, totalTokens) // <==
);
// Transfer the auction tokens from the msg.sender to the new auction contract
IERC20(auctionToken).transferFrom(msg.sender, auctionAddress, totalTokens);
emit AuctionCreated(auctionAddress);
}

Impact

Complete draining of a auction pool if an address collision is found.

Tools Used

Manual Review

Recommendations

Do not allow a user-supplied salt, as well as do not use the user address as a determining factor for the salt.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.