Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chaduke - CREATE2 address collision against a position allows the position owner to drain all the lending pools. #14

Closed
sherlock-admin4 opened this issue Aug 24, 2024 · 0 comments
Closed

chaduke - CREATE2 address collision against a position allows the position owner to drain all the lending pools. #14

sherlock-admin4 opened this issue Aug 24, 2024 · 0 comments
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Aug 24, 2024
edited
Loading

chaduke

High

CREATE2 address collision against a position allows the position owner to drain all the lending pools.

Summary

CREATE2 address collision against a position allows the position owner to drain all the collaterals from the position and get away with all the funds he loaned.

Root Cause

A user Bob can create 1) a large number of positions that he owns by providing different salts, 2) a long list of smart contract addresses that he can control. Once find the collision, Bob can drain the position since he is in control of the position address to transfer funds away.

https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/main/protocol-v2/src/PositionManager.sol#L268-L286

Internal pre-conditions

None

External pre-conditions

Find the collision described above

Attack Path

Once finding a collision address X, Bob can deploy a contract on X using create2, which sets the allowances for various assets for another attacker wallet address, and then self-destruct the contract.

Bob can then deploy the regular position contract on X, deposit a huge number of collateral and borrow a huge number of debt. Bob can then use the attacker wallet to transfer all the collateral away, along with the loan, Bob effectively can drain all the lending pools in the protocol.

Impact

The attacker can drain all the lending pools.

PoC

This attack is similar to the following two findings, which have been rewarded by Sherlock.

[1 ]Address colission atack, Issue 4: sherlock-audit/2024-01-napier-judging#111
[2] Issue 5: sherlock-audit/2023-12-arcadia-judging#59

The feasibility of finding the collision that the script to launch the attack has been discussed in these two references too.

Mitigation

Limit the number of positions that a user can owe. In this way, it is unlikely to have a collision.
@github-actions github-actions bot closed this as completed Sep 5, 2024
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Excluded Excluded by the judge without consulting the protocol or the senior labels Sep 5, 2024
@sherlock-admin4 sherlock-admin4 changed the title Zesty Rainbow Wombat - CREATE2 address collision against a position allows the position owner to drain all the lending pools. chaduke - CREATE2 address collision against a position allows the position owner to drain all the lending pools. Sep 15, 2024
@sherlock-admin4 sherlock-admin4 added Non-Reward This issue will not receive a payout and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Sep 15, 2024
This was referenced Sep 15, 2024
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4