Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-03-POLYNOMIAL-FINDINGS-ISSUES-159
HistoryMar 20, 2023 - 12:00 a.m.

Unprotected setVault function can be frontrun to set the attacker controlled vault address

2023-03-2000:00:00
Code4rena
github.com
3
front-running
vulnerability
token manipulation
JSON

Lines of code

Vulnerability details

Impact

Unprotected setVault function from VaultToken.sol can be frontrun to set the attacker controlled vault address. Once attacker controlled vault address is set as a vault, attacker can mint large amount of tokens for himself and also able to burn other users tokens.

#Proof of Concept

function setVault(address _vault) external {
    if (vault != address(0x0)) {
        revert();
    }
    vault = _vault;
}

Attack scenario:

  • step 1: Attacker monitor transaction from VaultToken for setVault
  • step 2: Attacker frontrun setVault transaction to set his vault address
  • step 3: Attacker can mint / burn tokens to/from anyone.

Since there is no other way to set the vault address to protocol’s vault, protocol have to redeploy VaultToken contract.

Tools Used

Manual Review

Recommended Mitigation Steps

Since setting vault is critical functionality, we recommend to use private relay like flashbot to mine such transaction OR to use some kind of governance control / access control to such functions.

The text was updated successfully, but these errors were encountered:

All reactions

JSON