Use of CREATE to handle contract deployment making the contracts vulnerable to reorg situations.
Summary
To handle SwanAssets and BuyerAgent deployment, vanilla CREATE is used, which makes the deployment process vulnerable to attacks during reorg situations.
Vulnerability Details
First SwanAsset are deployed using CREATE in the factory.
The same can be noted when a Buyer is to be created which also uses CREATE in the factory.
The protocol plans on deploying mainly on Base, which is an Optimistic rollup and Optimistic rollups are known for having re-org issues. The protocol also aims to be compatible any EVM-compatible chain, raising the chances of a reorg significantly.
So when a reorg occurs deployment of SwanAsset creation listing, a sort of mix-up can occur in which the address expected for SwanAsset being listed, created or the BuyerAgent will not match the actual address. Considering that the deployer is set as owner, the situation that'd arise is the wrong BuyerAgent/SwanAsset address being given a different owner and parameters from expected and any form of reliance on the address derivation in advance to send funds/tokens sent to the contract (e.g fees, royalties, etc) could potentially be withdrawn by the other sender who has now been made owner. All in all, it could lead to the theft of user funds.
Tools Used
Manual Review
Recommendations
Use the create2 with salt that includes real msg.sender to deploy instead.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.