Pool creation is prone to DOS by attackers as pool parameters are exposed in the mempool
Summary
Pool creation in QuantAMMWeightedPoolFactoryis dependent on the function argument -NewPoolParams, which can be seen by anyone in the mempool. An attacker can use these parameters to create a pool at the same predetermined address by frontrunning the original user's transactions and thus reverting the user's transaction as it would now try to deploy a pool on the same address where the attacker already deployed the pool. The attacker can keep DOSing the original pool creator, preventing them from deploying pools.
Vulnerability Details
The function createWithoutArgsand createboth use NewPoolParamsto deploy a pool:
Here, the pool parameters and the salt are public once the tx is in the mempool. An attacker can use these parameters, to create a pool at the same address and any attempt by a user to create a pool at the same address will be ruined as there is already a pool at that address. So, an attacker can keep frontrunning a user's transaction for pool creation, by paying more gas fees and using the same parameters. He can keep dossing the innocent user as long as he likes.
Note that this attack is possible as the protocol intends to deploy on the Ethereum mainnet which has a public mempool.
Also, read this finding - https://code4rena.com/reports/2023-04-caviar#m-11-factorycreate-predictability-of-pool-address-creates-multiple-issues
Impact
Pool creation is highly susceptible to DOS
Tools Used
Manual review
Recommendations
Append msg.senderto the salt in the parameters to ensure a unique address is used every time.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.