Lines of code
<https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/core-contracts/contracts/CoreFactory.sol#L34-L40&gt;

Vulnerability details

Impact

A _projectId may only be used once in CoreFactory.createProject() since the modifier onlyAvailableProject will revert if project.creator != 0.

The result is an attacker may front-run any createProject() transaction in the mem pool and create another createProject() transaction with a higher gas price that uses the same _projectId but changes the other fields such as the msg.sender which will be the attackers address along with any other collection details. The original transaction will revert and the user will not be able to send any more transaction with this _projectId.

The user would therefore have to generate a new _projectId. However, the attack is repeateable and there is no guarantee this new ID will be used to create a project successfully without the attacker front-running the transaction again.

Proof of Concept

projects[_projectId] is set in createProject()

    projects[_projectId] = project;

It also has the onlyAvailableProject which will cause future transactions to revert.

  modifier onlyAvailableProject(string memory _projectId) {
    require(
      projects[_projectId].creator == address(0),
      'CoreFactory: Unavailable project id'
    );
    _;
  }

Recommended Mitigation Steps

One possible mitigation of this issue is to have the projectId be a hash including the msg.sender and a salt where the salt is a parameter to the function

bytes32 projectId = keccak256(abi.encodePacked(msg.sender, salt));

Another possible solution is to use an incrementing projectId that is stored in the contract and incremented each time a user calls createProject(). e.g. the first call to createProject() will have projectId = 1 the second will have projectId = 2 and so on.

The text was updated successfully, but these errors were encountered:

All reactions