arbitraryCall() can get blocked by an attacker #47
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Handle
GiveMeTestEther
Vulnerability details
Impact
"arbitraryCall()"'s (L733) use case is to claim airdrops by "gov". If the address "who" is a token that could be send as an incentive by an attacker via "createIncentive()" then such claim can be made unusable, because on L735 there is a require(incentives[who] == 0, "inc"); that reverts if a "who" token was received as an incentive.
In this case the the incentives[who] can be set to 0 by the stream creator by calling "claimIncentive()" but only after the stream has ended according to "require(block.timestamp >= endStream, "stream");" (L520)
If the airdrop is only claimable before the end of the stream, then the airdrop can never be claimed.
If "gov" is not the stream creator then the stream creator must become also the "gov" because "claimIncentive()" only can be called by the stream creator and the "arbitraryCall()" only by "gov". If resetting incentives[who] to 0 by calling "claimIncentive()" and "arbitraryCall()" for the "who" address doesn't happen atomic, an attacker can send between those two calls again a "who" token.
Proof of Concept
https://github.com/code-423n4/2021-11-streaming/blob/56d81204a00fc949d29ddd277169690318b36821/Streaming/src/Locke.sol#L733
https://github.com/code-423n4/2021-11-streaming/blob/56d81204a00fc949d29ddd277169690318b36821/Streaming/src/Locke.sol#L500
Tools Used
Recommended Mitigation Steps
The text was updated successfully, but these errors were encountered: