Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Creation of DAO is vulnerable to reorg attacks

vinica_boy

Summary

A new DAO is created by calling createNewDAOMembership() and passing in the configuration for the DAO and its tiers. The DAO membership is represented by an ERC1155 contract, which is deployed within this function. The deployment uses the standard create opcode, meaning the address of the new contract is derived solely from the MembershipFactory’s nonce. This reliance on the nonce makes it vulnerable to reorg attacks.

Vulnerability Details

Reorgs can happen in Polygon as it can be seen in the following examples: example1, example2.
As described in the summary, relying only on the nonce of a contract for the address of the new ERC1155 contract can lead to problems, especially loss of funds for users in the context of the current protocol. Relying on that address can lead to users joining the wrong DAO which include paying fees.

Alice creates a new DAO by calling createNewDAOMembership(). This generates an expected DAO membership contract address, let's call it X, based solely on the MembershipFactory’s nonce.
Bob, intending to join Alice's DAO, calls joinDAO() with X as the DAO membership address, expecting X to be Alice’s DAO.
A reorg occurs, and an attacker sees Alice’s original transaction. The attacker then frontruns Alice’s createNewDAOMembership() by deploying their own DAO membership contract before her transaction is reprocessed.
Due to the reorg, the attacker’s DAO membership contract now occupies address X since it relies only on the factory’s nonce.
When Alice's and Bob's original transactions are replayed, Bob’s joinDAO() transaction is directed to address X, which is now the attacker’s DAO membership contract, not Alice’s.

As a result, Bob unintentionally joins the attacker’s DAO by paying the corresponding fee.

Creation of new ERC1155 contract: https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/MembershipFactory.sol#L72

Impact

Although the probability of this scenario occurring is low, the impact on affected users would be severe, as it lead to a direct loss of funds.

Tools Used

Manual review.

Recommendations

Consider using create2 when deploying new contracts which addresses will later be used by other users.
OZ create2 blog: https://docs.openzeppelin.com/cli/2.8/deploying-with-create2

Updates

Lead Judging Commences

0xbrivan2 Lead Judge

about 1 year ago

0xbrivan2 Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

reorg issues

Appeal created

vinica_boy Submitter

about 1 year ago

0xbrivan2 Lead Judge

about 1 year ago

0xbrivan2 Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

reorg issues

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!