Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kevinkien - Salt Attack Vulnerability in VoteDelegateFactory create Function #37

Closed
sherlock-admin2 opened this issue Aug 5, 2024 · 0 comments
Closed

kevinkien - Salt Attack Vulnerability in VoteDelegateFactory create Function #37

sherlock-admin2 opened this issue Aug 5, 2024 · 0 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Aug 5, 2024
edited
Loading

kevinkien

Medium

Salt Attack Vulnerability in VoteDelegateFactory create Function

Summary

The create function in the VoteDelegateFactory contract uses a predictable salt value (bytes32(uint256(uint160(msg.sender)))) when creating VoteDelegate contracts. This could lead to a salt attack, where an attacker can predict the address of the new contract and pre-create a contract at that address, potentially altering the contract's behavior.

Vulnerability Detail

The VoteDelegateFactory contract uses a salt to calculate the address of a newly created VoteDelegate contract. However, the current salt value is simply a hash of the user's address (msg.sender). If an attacker can predict the user's address, they can pre-calculate the VoteDelegate contract address and deploy a malicious contract at that address before the user initiates the transaction.

Impact

If an attacker successfully executes a salt attack, they can modify the behavior of the newly created VoteDelegate contract. This could lead to a loss of control over the voting delegation process, allowing the attacker to manipulate votes or perform other unauthorized actions.

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/vote-delegate/src/VoteDelegateFactory.sol#L62

voteDelegate = address(new VoteDelegate{salt: bytes32(uint256(uint160(msg.sender)))}(chief, polling, msg.sender));

Tool used

Manual Review

Recommendation

a more random and unpredictable salt value should be used. One approach is to combine the user's address with some other random or unpredictable data, such as the current timestamp or a random number generated by an oracle.

function create() external returns (address voteDelegate) {
+    bytes32 salt = keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty)); // More random salt
+    voteDelegate = address(new VoteDelegate{salt: salt}(chief, polling, msg.sender));
    created[voteDelegate] = 1;

    emit CreateVoteDelegate(msg.sender, voteDelegate);
}

Duplicate of #63
@github-actions github-actions bot closed this as completed Aug 9, 2024
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. labels Aug 9, 2024
@z3s z3s removed the Medium A Medium severity issue. label Aug 12, 2024
@sherlock-admin2 sherlock-admin2 changed the title Micro Emerald Tortoise - Salt Attack Vulnerability in VoteDelegateFactory create Function kevinkien - Salt Attack Vulnerability in VoteDelegateFactory create Function Aug 14, 2024
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Aug 14, 2024
@00xSEV 00xSEV mentioned this issue Aug 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@z3s @sherlock-admin2