Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Reorg attack

nave765

Summary

When a user want to create new DAO membership, he calls MembershipFactory::createNewDAOMembership. But the function use CREATE, which is vulnerable to reorg attack.

Vulnerability Details

function createNewDAOMembership(DAOInputConfig calldata daoConfig,TierConfig[] calldata tierConfigs) external returns (address) {
_;
// @audit reorg attack potential
TransparentUpgradeableProxy proxy = new TransparentUpgradeableProxy(membershipImplementation,address(proxyAdmin),abi.encodeWithSignature("initialize(string,string,string,address,address)", daoConfig.ensname, "OWP", baseURI, _msgSender(), daoConfig.currency));
DAOConfig storage dao = daos[address(proxy)];
dao.ensname = daoConfig.ensname;
dao.daoType = daoConfig.daoType;
dao.currency = daoConfig.currency;
dao.maxMembers = daoConfig.maxMembers;
dao.noOfTiers = daoConfig.noOfTiers;
_;
}

As mentioned in the contest's readme file. This function will be deployed in Polygon which is vulnerable to reorg attack. There is spesific cases with 157 blocks depth. Reference

Example:

  1. Alice deploys a new DAO.

  2. Bob has a bot that observes the blockchain for reorg.

  3. Bob calls the spesific transaction

  4. Finally Alice's tx is executed and a new DAO will controlled by Bob without Alice knowing.

  5. Bob immediately modified the proxyAdmin in the newly created MembershipERC1155.sol and transfers the tokens to himself if there is profit being transferred.

Impact

The actor will get the newly transferred profit.

Likelihood : Low
Impact : High

Tools Used

Manual Review

Recommendations

Deploy the DAO via CREATE2 with salt that includes msg.sender.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge
about 1 year ago
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

reorg issues

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!