Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Predictable salt values used in Auction factory (Computed in FjordAuctionScript.run()) could be used to duplicate auction creation.

elpadrino25

Relevant Github Links

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuctionFactory.sol#L59
https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/script/forge/DeployAuction.s.sol#L18

Summary

By precomputing the address of the auction contract, an attacker can disrupt the auction process, causing financial losses and operational issues. Mitigating these vulnerabilities involves using unpredictable salts, performing pre-deployment checks, and implementing robust access control mechanisms.

Vulnerability Details

The salt is predictable because it relies on the block.timestamp and msg.sender, both of which are publicly available and easily accessible on the blockchain. An attacker could front-run or duplicate the auction creation by predicting the salt value, potentially causing unintended behavior or duplicate auctions.

The AuctionFactory contract is designed to create new instances of an auction contract (FjordAuction) using the create2 opcode. The `FjordAuctionScript is responsible for calling this factory to create auctions.

Impact

Impact on create2 Deterministic Address:

The createAuction function uses create2 to generate a deterministic address for the new auction contract, based on the salt provided. If the salt is predictable, an attacker could precompute or predict the auction contract's address and potentially take malicious actions, such as deploying a contract with the same address on another chain or attempting to interfere with the auction.

Tools Used

Manual Review

Recommendations

The salt value should be carefully generated, preferably using a more complex and unpredictable value. The current script's approach of using keccak256(abi.encodePacked(block.timestamp, msg.sender)) is predictable and should be replaced with a more secure random value, or it should allow users to specify their own unique and unpredictable salt.

Reference: https://solodit.xyz/issues/m-11-factorycreate-predictability-of-pool-address-creates-multiple-issues-code4rena-caviar-caviar-private-pools-git

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.