Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deposit() function is open to reentrancy attacks #3

Closed
code423n4 opened this issue Jan 6, 2022 · 1 comment
Closed

deposit() function is open to reentrancy attacks #3

code423n4 opened this issue Jan 6, 2022 · 1 comment
Assignees
@naps62
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sponsor vault Vault

Comments

@code423n4
Copy link
Contributor

Handle

jayjonah8

Vulnerability details

Impact

In Vault.sol the deposit() function is left wide open to reentrancy attacks. The function eventually calls _createDeposit() => _createClaim() which calls depositors.mint() which will then mint an NFT. When the NFT is minted the sender will receive a callback which can then be used to call the deposit() function again before execution is finished. An attacker can do this minting multiple NFT's for themselves. claimers.mint() is also called in the same function which can also be used to call back into the deposit function before execution is complete. Since there are several state updates before and after NFT's are minted this can be used to further manipulate the protocol like with newShares which is called before minting. This is not counting what an attacker can do with cross function reentrancy entering into several other protocol functions (like withdraw) before code execution is complete further manipulating the system.

Proof of Concept

https://github.com/code-423n4/2022-01-sandclock/blob/main/sandclock/contracts/Vault.sol#L160

https://github.com/code-423n4/2022-01-sandclock/blob/main/sandclock/contracts/Vault.sol#L470

https://github.com/code-423n4/2022-01-sandclock/blob/main/sandclock/contracts/Vault.sol#L476

Tools Used

Manual code review

Recommended Mitigation Steps

Reentrancy guard modifiers should be placed on the deposit(), withdraw() and all other important protocol functions to prevent devastating attacks.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jan 6, 2022
code423n4 added a commit that referenced this issue Jan 6, 2022
@code423n4
jayjonah8 issue #3
ac119c5
@r2moon r2moon added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jan 7, 2022
This was referenced Jan 7, 2022
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@r2moon r2moon mentioned this issue Jan 12, 2022
Closed
@naps62 naps62 closed this as completed Jan 13, 2022
This was referenced Jan 13, 2022
Closed
Closed
Closed
Closed
@naps62 naps62 mentioned this issue Jan 13, 2022
Closed
@CloudEllie CloudEllie reopened this Jan 22, 2022
@dmvt dmvt mentioned this issue Jan 28, 2022
Closed
@naps62
Copy link
Collaborator

naps62 commented Feb 21, 2022

Fixed in https://github.com/sandclock-org/solidity-contracts/pull/75

@naps62 naps62 closed this as completed Feb 21, 2022
@MrToph MrToph mentioned this issue Mar 4, 2022
Open
@jack-the-pug jack-the-pug mentioned this issue Mar 11, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@naps62 naps62

Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sponsor vault Vault
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@naps62 @gabrielpoca @r2moon @code423n4 @CloudEllie