Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-09-ONDO-FINDINGS-ISSUES-384
HistorySep 07, 2023 - 12:00 a.m.

Critical Reentrancy Vulnerability in _mintIfThresholdMet Function

2023-09-0700:00:00
Code4rena
github.com
4
reentrancy
exploitation
financial loss
mitigation
JSON

Lines of code
<https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/bridge/DestinationBridge.sol#L112&gt;

Vulnerability details

Impact

The _mintIfThresholdMet function contains a severe reentrancy vulnerability that can be exploited by malicious contracts.
When the TOKEN.mint function is called and tokens are minted for txn.sender, the txn.amount is subsequently set to 0 by deleting txnHashToTransaction[txnHash].
This creates an opportunity for a reentrant contract to repeatedly call _mintIfThresholdMet, effectively draining the contract’s balance, and leading to a potential financial loss. The impact of this vulnerability is critical, as it compromises the security and integrity of the contract’s token minting mechanism.

Proof of Concept

_mintIfThresholdMet take txnHash that contains the sender and the amount, mint the tokens,then txnHashToTransaction[txnHash] to set them to 0.

function _mintIfThresholdMet(bytes32 txnHash) internal {
bool thresholdMet = _checkThresholdMet(txnHash);
Transaction memory txn = txnHashToTransaction[txnHash];
if (thresholdMet) { //check
_checkAndUpdateInstantMintLimit(txn.amount);
if (!ALLOWLIST.isAllowed(txn.sender)) {
ALLOWLIST.setAccountStatus(
txn.sender,
ALLOWLIST.getValidTermIndexes()[0],
true
);
}
TOKEN.mint(txn.sender, txn.amount); //interact
delete txnHashToTransaction[txnHash]; // effect
emit BridgeCompleted(txn.sender, txn.amount);
}
}

Certainly, here are the details of the vulnerability in the _mintIfThresholdMet function:

Vulnerability Description:

The _mintIfThresholdMet function contains a reentrancy vulnerability that allows a malicious contract to repeatedly call the function, resulting in the draining of the contract’s balance and potential financial loss.

Exploitation Scenario:

Initial Invocation: A legitimate transaction triggers the _mintIfThresholdMet function, which checks if a certain threshold is met. If the threshold is met, tokens are minted for txn.sender, and the txn.amount is set to 0.

Malicious Reentrant Contract: A malicious contract (a reentrant contract) is deployed, which calls the _mintIfThresholdMet function.

Reentrant Call: The reentrant contract repeatedly calls _mintIfThresholdMet, effectively entering a loop. Each time it does so, it triggers the minting of tokens for the txn.sender, and the txn.amount is set to 0.

Financial Drain: As the reentrant contract continues to call the function, it drains the contract’s balance by minting tokens for the same txn.sender and setting txn.amount to 0 each time.

Potential Loss: The reentrant contract can cause significant financial losses by depleting the contract’s token balance.

Tools Used

Manual review

Recommended Mitigation Steps

Change the order of operations so that txn.amount is set to 0 before minting tokens. This prevents reentrant contracts from repeatedly calling the function.

Assessed type

Reentrancy

The text was updated successfully, but these errors were encountered:

All reactions

JSON