Active Boosts

#36475 [SC-Medium] Token allowance signature can be front-run

Submitted on Nov 3rd 2024 at 23:51:27 UTC by @zhuying for Audit Comp | Anvil

  • Report ID: #36475

  • Report Type: Smart Contract

  • Report severity: Medium

  • Target: https://etherscan.io/address/0xd042C267758eDDf34B481E1F539d637e41db3e5a

  • Impacts:

    • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Description

Brief/Intro

The token allowance signature is required when users want to stake to TimeBasedCollateralPool. However when user initiates the stake tx, anyone can front-run the signature and call `modifyCollateralizableTokenAllowanceWithSignature` function in CollateralVault.sol to let user's nonce increase. And the user's stake tx will revert becauser of invalid signature.

Vulnerability Details

``` function modifyCollateralizableTokenAllowanceWithSignature( address _accountAddress, address _collateralizableContractAddress, address _tokenAddress, int256 _allowanceAdjustment, bytes calldata _signature // @audit-issue signature can be front-run ) external { if (_allowanceAdjustment > 0 && !collateralizableContracts[_collateralizableContractAddress]) { revert ContractNotApprovedByProtocol(_collateralizableContractAddress); }

    _modifyCollateralizableTokenAllowanceWithSignature(
        _accountAddress, _collateralizableContractAddress, _tokenAddress, _allowanceAdjustment, _signature
    );
}

``` The parameter of `modifyCollateralizableTokenAllowanceWithSignature` function is inputted directly. Anyone which knows signature information can call this function to consume signature. The contracts are depolyed to mainnet. If user initiates a stake tx publicly, the tx message is open to anyone. Attacker can front-run stake tx to let user's stake tx revert.

Impact Details

User's token allowance signature is useless if anyone front-runs the signature message.

References

https://github.com/AcronymFoundation/anvil-contracts/blob/1bbe04bb6f1aa1beea0ebf55e1bad67da3aa0f87/contracts/CollateralVault.sol#L294-L311

Link to Proof of Concept

https://gist.github.com/psych2go/b596434b80f6ae5a9ad444a09bdab9b1

Proof of Concept

Proof of Concept

``` // SPDX-License-Identifier: ISC pragma solidity 0.8.25;

import {Test} from "forge-std/Test.sol"; import {CollateralVault} from "../contracts/CollateralVault.sol"; import {TimeBasedCollateralPool} from "../contracts/TimeBasedCollateralPool.sol"; import {ICollateral} from "../contracts/interfaces/ICollateral.sol";

import {mockERC20} from "./mocks/mockERC20.sol";

contract SignatureFrontrun is Test { error InvalidSignature(address account);

} ```

Previous#36306 [SC-Insight] Incorrect nonce value emitted in `TimeBasedCollateralPool::_resetPool` eventNext#36450 [SC-Low] contract timebasedcollateralpool will be unable to process new user transactions

Last updated

Was this helpful?