Predictability of newContractPool #99
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
🤖_99_group
AI based duplicate group recommendation
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/PanopticFactory.sol#L237
Vulnerability details
Impact
Stealing of user's deposit amount. When a user creates a new pool and deposit some funds in it, an attacker can frontrun the user's transaction and capture the deposit amounts.
Also, a user's newContractPool can forcefully be reverted by an attacker who creates a newContractPool for himself using a user's salt.
Proof of Concept
When creating newPoolContract, "salt" is the only value passed into cloneDeterministic.
What this means is that there is nothing that makes the newPoolContract address unique. An attacker can frontrun the newPoolContract adddress by creating an exact newPoolContract.
Tools Used
Manual review
Recommended Mitigation Steps
"msg.sender" should be added to the "salt" value to make it unique like so:
Assessed type
Other
The text was updated successfully, but these errors were encountered: