Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-06-STADER-FINDINGS-ISSUES-370
HistoryJun 09, 2023 - 12:00 a.m.

When deploying a contract in PermissionlessNodeRegistry.deployNodeELRewardVault(), an attacker can find out in advance the address of the future deployed contract and deploy his own at this address

2023-06-0900:00:00
Code4rena
github.com
5
vulnerability
predict
deploy
contract
reward theft
manipulation
mitigation
concatenate
salt
user address
governance
JSON

Lines of code
<https://github.com/code-423n4/2023-06-stader/blob/main/contracts/factory/VaultFactory.sol#L48-L60&gt;

Vulnerability details

Impact

The address of the new contract depends solely on the _salt parameter, which is calculated from user-provided data. Once a user’s create transaction is broadcast, the parameters for calculating _salt can be viewed by anyone viewing the public mempool. This would result in an attacker being able to steal a share of the operator’s reward and manipulate the distribution of the user and protocol reward.

Tools Used

Manual audit

Recommended Mitigation Steps

Consider making the upcoming pool address a specific user by concatenating the salt value with the user’s address.
bytes32 salt = sha256(abi.encode(_poolId, _operatorId, _validatorCount, msg.sender));

Assessed type

Governance

The text was updated successfully, but these errors were encountered:

All reactions

JSON