DOS by Frontrunning BathHouse's initialize() Function #415
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Comments
code423n4
added
3 (High Risk)
bghughes
added
the
disagree with severity
|
I believe this is low/no severity given that we will check all storage variables of the protocol via automated scripts to make sure the protocol is initialized correctly. If someone else called the initialize function, we would try again, and if front ran every time then an added storage variable for the appropriate caller would be added to ensure we can initialize the protocol correctly |
bghughes
added
the
sponsor disputed
|
Agreed with sponsor, QA severity. |
|
Part of warden's QA report: #409 |
HickupHH3
added
QA (Quality Assurance)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/migrations/2_protocol.js#L13-L41
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathHouse.sol#L97-L129
Vulnerability details
Impact
It's seen that the deployment scripts are ready to deploy RubiconMarket.sol, RubiconRouter.sol, BathHouse.sol.
And RubiconMarket is initialized at the time of deployment. However, BathHouse initialization is not done during deployment.It is important that the proxy contracts are deployed and initialized in the same transaction to avoid any malicious frontrunning.
As a result, a malicious attacker could monitor the Ethereum blockchain for bytecode that matches the BahtHouse contract and frontrun the initialize() transaction to gain ownership of the contract. This can be repeated as a Denial Of Service (DOS) type of attack, effectively preventing Rubicon's contract deployment, leading to unrecoverable gas expenses.
Proof of Concept
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathHouse.sol#L97-L129
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/migrations/2_protocol.js#L13-L41
Tools Used
Manual Review
Recommended Mitigation Steps
it would be worthwhile to ensure the BathHouse.sol contract is deployed and initialized in the same transaction, or ensure the initialize() function is callable only by the deployer of the BathHouse.sol contract.
The text was updated successfully, but these errors were encountered: