Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Use of CREATE method is suspicious of reorg attack in `MembershipFactory::createNewDAOMembership`

shikhar229169

Relevant Github Link

https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/dao/MembershipFactory.sol#L72

Summary

When a user wants to create their membership DAO contract, then they do it via MembershipFactory::createNewDAOMembership which deploys a dedicated contract for handling their DAO membership using CREATE method and the derivation of the addresses are fully dependent on the MembershipFactory contract's nonce.
Therefore, making it susceptible to reorg attacks.

Vulnerability Details

The vulnerability is present in the MembershipFactory::createNewDAOMembership which uses CREATE method for deployment of the dedicated MembershipERC1155 contract and makes it prone to reorg attacks.
Reorgs occurs mostly on chains such as Polygon. Polygon is seen to have the largest number of reorgs being happening and as the protocol is mentioned to be specifically deployed to Polygon thus making it vulnerable to reorg attacks. The biggest reorg on Polygon set it back to almost 120 blocks.
The sendProfit function on MembershipERC1155 contract allows to send the profit to the contract or creator depending on supply condition.
Consider 2 users calling createNewDAOMembership followed by others calling sendProfit for funding their DAO, where the creator A's creation of contract suffering from block reorg would make the profit sent to their address the creator B's membership dao contract's profit due to creator A's contract address being given to creator B due to a reorg.

Proof of Concept

Alice calls createNewDAOMembership function and funderA sends profit to it via sendProfit function.
Bob has an active bot that observes the polygon blockchain and alerts whenever there is a reorg.
Upon getting alerted for a reorg, Bob calls the createNewDAOMembership function with the same currency token as Alice.
Thus MembershipERC1155 contract is created with an address to which funderA sent the currency tokens.
Finally Alice's tx is executed but the MembershipERC1155 is funded by funderA having Bob as its creator.

Impact

Funds are vulnerable to be stolen which are sent via sendProfit function.

Tools Used

Manual Review

Recommendations

Update the MembershipFactory::createNewDAOMembership function to deploy the MembershipERC1155 contract via CREATE2 with salt that inlcudes msg.sender.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge

12 months ago

0xbrivan2 Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

reorg issues

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.