Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Potential Denial-of-Service Vulnerability in PreMarktes::createOffer

ayoashy

Summary

A critical vulnerability has been identified in PreMarktes::createOffer potentially allowing an attacker to create a denial-of-service (DoS) condition. The vulnerability stems from the predictable nature of address generation for makers, offers, and stocks, which relies solely on an incrementing offerId. This predictability could be exploited by an attacker to prevent legitimate users from creating new offers, thereby disrupting the system's normal operation.

Vulnerability Details

The PreMarkets::createOffer function generates addresses for makers, offers, and stocks using the current offerId

address makerAddr = GenerateAddress.generateMakerAddress(offerId);
address offerAddr = GenerateAddress.generateOfferAddress(offerId);
address stockAddr = GenerateAddress.generateStockAddress(offerId);

These generated addresses are then verified against existing entries in the makerInfoMap, offerInfoMap, and stockInfoMap mappings. If any of these addresses already have a non-zero authority value, the transaction is reverted:

if (makerInfoMap[makerAddr].authority != address(0x0)) {
revert MakerAlreadyExist();
}
if (offerInfoMap[offerAddr].authority != address(0x0)) {
revert OfferAlreadyExist();
}
if (stockInfoMap[stockAddr].authority != address(0x0)) {
revert StockAlreadyExist();
}

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L39-L82

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/libraries/GenerateAddress.sol#L9-L31

An attacker could exploit this by:

  • Predicting Future Addresses: Since the address generation relies solely on the offerId, an attacker can predict future offerId values and the corresponding generated addresses for makers, offers, and stocks.

  • Preemptively Setting Non-Zero Authority Values: The attacker could create offers or manipulate the system to set non-zero authority values for these predicted addresses before legitimate users can use them.

  • Blocking Legitimate Transactions: When a legitimate user attempts to create a new offer, the system will generate the same addresses, find that they already have non-zero authority values, and revert the transaction. This effectively blocks the user from creating new offers, leading to a denial-of-service condition.

Impact

If successfully exploited, this vulnerability can lead to a severe denial-of-service condition where legitimate users are unable to create new offers in the system. This would significantly disrupt the platform’s functionality, erode user trust, and potentially lead to financial losses.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, it is recommended to use a more sophisticated method for generating unique addresses. Instead of relying solely on the offerId, incorporate additional entropy sources such as block variables, msg.sender, and cryptographic techniques. This approach will reduce the predictability of address generation and prevent potential collisions.

improve GenerateAddress::generateMakerAddress,generateOfferAddress,generateStockAddress to

function generateMakerAddress(uint256 _id) internal view returns (address) {
return address(uint160(uint256(keccak256(abi.encodePacked(
_id,
"maker",
block.timestamp,
block.number,
msg.sender,
address(this),
blockhash(block.number - 1)
)))));
}
function generateOfferAddress(uint256 _id) internal view returns (address) {
return address(uint160(uint256(keccak256(abi.encodePacked(
_id,
"offer",
block.timestamp,
block.number,
msg.sender,
address(this),
blockhash(block.number - 1)
)))));
}
function generateStockAddress(uint256 _id) internal view returns (address) {
return address(uint160(uint256(keccak256(abi.encodePacked(
_id,
"stock",
block.timestamp,
block.number,
msg.sender,
address(this),
blockhash(block.number - 1)
)))));
}

this improved functions are going to improve uniqueness and prevent collision.

Updates

Lead Judging Commences

0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.