Re-org Vulnerability.
Summary
There is an issue in the address generation mechanism, which is vulnerable to re-orgs.
The function GenerateAddress.generateOfferAddress(offerId) generates addresses based solely on the offerId.
Vulnerability Details
when createOffer is called it will generate 3 address makerAddr/stockAddr/offerAddr and these addresses generated based on offerId solely
and this will be an issue because of re-org
How the Vulnerability Occurs:
When generating addresses GenerateAddress.generateOfferAddress(offerId), the offer ID will be passed
To ensure uniqueness for each address but the problem is that this process is vulnerable to a re-org attack.
When contract creates a new contract it creates it with its Address + Nonce
Now lets back to our issue if we look close how GenerateAddress.generateOfferAddress(offerId) works we will see this:
As we see the only thing changes is _id in this case _id will be like Nonce So When a re-org happen the same issue will happen here, When reorg happen users could interact with wrong offerAddr.
Impact
Incorrect Address Interaction: Users could potentially interact with the wrong offer address.
Tools Used
Recommendations
Add msg.sender or salt to simulate create2.
Lead Judging Commences
[invalid] finding-PreMarkets-createTaker-reorg
Invalid, the taker should be creating a taker offer for an already existing maker offer that has been finalized, i.e. createOffer has been successfully executed before reorg occurs, so this is a non-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.