Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unrestricted Access to Sensitive Withdrawal Requests Enables Front-Running Attacks

kineticsofweb3

Summary

The load() function in the WithdrawalRequest.sol contract does not enforce any access control mechanisms, allowing anyone to read sensitive withdrawal request data. This lack of restriction exposes information about pending withdrawals, making it possible for malicious actors to monitor and front-run large withdrawal transactions, leading to market manipulation and economic losses.

** Vulnerability Details**

  • Affected Contract: WithdrawalRequest.sol

  • Affected Function: load()

Code Snippet of Vulnerability

function load(
uint128 vaultId,
address account,
uint128 withdrawalRequestId
) internal pure returns (Data storage withdrawalRequest) {
bytes32 slot = keccak256(abi.encode(WITHDRAWAL_REQUEST_LOCATION, vaultId, account, withdrawalRequestId));
assembly {
withdrawalRequest.slot := slot
}
}

What’s Wrong?

The function lacks access control, meaning anyone can call it and retrieve details about pending withdrawal requests.

** Attack Scenario**

  • A front-running bot calls load() to monitor withdrawal requests.

  • The bot identifies a large withdrawal that will affect the asset’s price.

  • The bot trades ahead of the withdrawal to profit from the price impact.

** Root Cause**

The function is defined as internal, but it can still be accessed within the smart contract ecosystem. There is no access control mechanism to restrict unauthorized users from retrieving withdrawal request details.

** Impact**

Information Disclosure Sensitive withdrawal request details are exposed to the public.
Market Manipulation Malicious traders can monitor withdrawals and front-run transactions.
Economic Loss |Traders executing large withdrawals may suffer from price slippage caused by frontrunners. |

** Tools Used**

  • Foundry: For testing and simulating the exploit.

  • VS Code: Smart contract review.

  • Slither: Static analysis tool to detect access control vulnerabilities.

** Proof of Concept (PoC) – Foundry Test**

The following Foundry test simulates an attacker reading withdrawal request data using the load() function.

** PoC Test: Unrestricted Access to load()**

// SPDX-License-Identifier: MIT
pragma solidity 0.8.25;
import "forge-std/Test.sol";
import { WithdrawalRequest } from "../src/market-making/leaves/WithdrawalRequest.sol";
contract AttackSimulation is Test {
using WithdrawalRequest for *;
uint128 vaultId = 1;
address account = address(0x123);
uint128 withdrawalRequestId = 1001;
function testUnauthorizedAccessToWithdrawalData() public {
// Simulate unauthorized access
WithdrawalRequest.Data storage request = WithdrawalRequest.load(vaultId, account, withdrawalRequestId);
// Assert that the function should not be accessible to unauthorized users
assertEq(request.timestamp, 0, "Unauthorized user should not access withdrawal data!");
}
}

** Behavior**

This test passes if the unauthorized user fails to retrieve the withdrawal request data due to an added access control mechanism.

** Mitigation**

Recommended Fix: Implement Access Control

Restrict load() to only authorized users (e.g., vault managers or contract owners). Modify the function to enforce access control:

modifier onlyAuthorized() {
require(msg.sender == vaultAdmin, "Unauthorized access");
_;
}
function load(
uint128 vaultId,
address account,
uint128 withdrawalRequestId
) internal view onlyAuthorized returns (Data storage withdrawalRequest) {
bytes32 slot = keccak256(abi.encode(WITHDRAWAL_REQUEST_LOCATION, vaultId, account, withdrawalRequestId));
assembly {
withdrawalRequest.slot := slot
}
}

Additional Security Enhancements

  1. Use Role-Based Access Control (RBAC)

    • Implement Ownable or AccessControl to restrict function access.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.