Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

function brokerClaim is vulnerable to frontrunning #111

Open
code423n4 opened this issue Jul 16, 2023 · 7 comments
Open

function brokerClaim is vulnerable to frontrunning #111

code423n4 opened this issue Jul 16, 2023 · 7 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-b primary issue Highest quality submission among a set of duplicates Q-72 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

code423n4 commented Jul 16, 2023
edited
Loading

Lines of code

https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/options/oTAP.sol?plain=1#L126
https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/option-airdrop/aoTAP.sol?plain=1#L139

Vulnerability details

Impact

The attacker can execute the function before the deployer due to front-running, after which the broker variable will become equal to the address of the attacker, and attacker will gain control over all the functions of the smart contract with the onlyBroker modifier.

Proof of Concept

https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/options/oTAP.sol?plain=1#L126

  function brokerClaim() external {
    require(broker == address(0), "OTAP: only once");
    broker = msg.sender;
  }

Tools Used

manual

Recommended Mitigation Steps

It is necessary to move the initialization of the broker variable to the constructor or ensuring atomic creation+deployment with script or factory contract.

Assessed type

MEV
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jul 16, 2023
code423n4 added a commit that referenced this issue Jul 16, 2023
@code423n4
CryptoYulia issue #111
c68368c
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Jul 31, 2023
@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Aug 5, 2023
@c4-pre-sort
Copy link

minhquanym marked the issue as primary issue

This was referenced Aug 5, 2023
Closed
Closed
Closed
Closed
Closed
Open
Closed
Closed
Closed
Closed
Open
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Open
Closed
This was referenced Aug 5, 2023
Closed
Closed
Closed
Closed
@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Aug 14, 2023
@c4-sponsor
Copy link

0xRektora marked the issue as disagree with severity

@0xRektora
Copy link

informational, has to be called 1 time, at the time of protocol deployment. If not claimed by actual owner, contract can be redeployed.

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Aug 18, 2023
@c4-sponsor
Copy link

0xRektora marked the issue as sponsor confirmed

@dmvt
Copy link

dmvt commented Sep 14, 2023

I agree with the sponsor. The full risk is gas cost of redeploying. No one can mint beside the broker, so protocol funds cannot be lost here. Downgrading to QA for medium risk reports, overinflated for high risk.

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Sep 14, 2023
@c4-judge
Copy link

dmvt changed the severity to QA (Quality Assurance)

@c4-judge
Copy link

dmvt marked the issue as grade-b

@C4-Staff C4-Staff added the Q-72 label Oct 10, 2023
@0xRektora 0xRektora mentioned this issue Jun 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-b primary issue Highest quality submission among a set of duplicates Q-72 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@dmvt @0xRektora @code423n4 @c4-judge @c4-sponsor @c4-pre-sort @C4-Staff