Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DOS+griefing attack for AuraVestedEscrow contract by calling fund() because it does not have access control and anyone can call it and initialize contract with wrong parameters #305

Open
code423n4 opened this issue May 25, 2022 · 2 comments
Open

DOS+griefing attack for AuraVestedEscrow contract by calling fund() because it does not have access control and anyone can call it and initialize contract with wrong parameters #305

code423n4 opened this issue May 25, 2022 · 2 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) G (Gas Optimization)

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L96-L110

Vulnerability details

Impact

There is no access control in fund() and anyone can call it. This function is only is callable one time for a contract and initializes the contract. An attacker can call this function of any deployed contract exactly after deployment with dummy parameters and make contract to become useless. it will cause deployer to pay deployment gas fee and even the impact is larger if the address of this contract has been used in other contracts.

Proof of Concept

This is fund() code in AuraVestedEscrow:

function fund(address[] calldata _recipient, uint256[] calldata _amount) external nonReentrant {
        require(!initialised, "initialised already");

        uint256 totalAmount = 0;
        for (uint256 i = 0; i < _recipient.length; i++) {
            uint256 amount = _amount[i];

            totalLocked[_recipient[i]] += amount;
            totalAmount += amount;

            emit Funded(_recipient[i], amount);
        }
        rewardToken.safeTransferFrom(msg.sender, address(this), totalAmount);
        initialised = true;
    }

As you can see, deployer needs to call this contract after deployment and this function is only callable one time. but attacker can watch contract deployments and immediately call fund([],[]) and initiate deployed contract with dummy parameters and make deployer lose deployment gas paid. So attacker can completely block usage of this contract for all deployments.

Tools Used

VIM

Recommended Mitigation Steps

Check that msg.sender in fund is owner or other mechanism that prevent hacker from performing DOS
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels May 25, 2022
code423n4 added a commit that referenced this issue May 25, 2022
@code423n4
unforgiven issue #305
29bfeea
This was referenced May 26, 2022
Open
Closed
@0xMaharishi 0xMaharishi added duplicate This issue or pull request already exists disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) labels May 28, 2022
@0xahtle7
Copy link
Collaborator

Duplicated of #163

@dmvt
Copy link
Collaborator

dmvt commented Jun 20, 2022

I'm going to downgrade this one to a gas issue given that the worst impact is a required redeploy. The suggested mitigation is valid.

@dmvt dmvt added G (Gas Optimization) and removed 3 (High Risk) Assets can be stolen/lost/compromised directly duplicate This issue or pull request already exists labels Jun 20, 2022
@dmvt dmvt mentioned this issue Jul 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) G (Gas Optimization)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dmvt @code423n4 @0xMaharishi @0xahtle7