Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

krot-0025 - Lack of EOA check for Noun owner leads to potential vulnerability #165

Open
sherlock-admin4 opened this issue Nov 30, 2024 · 0 comments
Open

krot-0025 - Lack of EOA check for Noun owner leads to potential vulnerability #165

sherlock-admin4 opened this issue Nov 30, 2024 · 0 comments

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Nov 30, 2024
edited
Loading

krot-0025

High

Lack of EOA check for Noun owner leads to potential vulnerability

Summary

When the attacker owns the Noun NFT in the smart contract and not in the EOA they can define functions like fallback and receive in their contract which will leads to potential Re-entrancy or DOS attack in the StreamEscrow.sol contract.

Root Cause

When the attacker owns the Noun in the smart contract he will describe the fallback function in that smart contract which will be used by calling the cancelStream function from the contract. Because this function contains :-

(bool sent, ) = msg.sender.call{ value: amountToRefund }('');
require(sent, 'failed to send eth');

https://github.com/sherlock-audit/2024-11-nounsdao/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/StreamEscrow.sol#L166-L186

  • While Re-entrancy, here msg.sender will be a malicious smart contract with fallback or receive function and upon receiving ether it triggers another function before the first function completes.
  • While DOS, msg.sender will be a similar malicious contract with functions but the function like fallback can be a excessive gas consumable function which will result in the revert of the transaction in which the call will failt or it will prevent the cancelStream function from completing and blocks the refunds for all the user in same scenario.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  • [RE-Entrancy]
    1. Initialize the Stream as the owner of the Noun (holding Noun in the smart contract). The contract includes malicious fallback function.
    1. Now the attacker calls the cancelStream function . It will trigger the call and the fallback function from the malicious contract executes.
    1. The fallback function again call the cancelStream function before the first execution finishes.
    1. This way attacker can withdraw funds multiple times because state will not update fully before execution completes. This could result in draining the contract of Ether .
  • [DOS]
  • When the cancelStream() function is called and tries to refund Ether to the attacker's contract the call fails becaue the fallback function consume all gas or it will reverts.

Impact

Loss of funds from the treasury in the form of refund or legit user unable to call the function for cancelling the stream.

PoC

No response

Mitigation

Try adding checks which will only allow EOA to hold Nouns or use Openzeppelin reentrancy protection contract.
@sherlock-admin4 sherlock-admin4 changed the title Magnificent Fuzzy Guppy - Lack of EOA check for Noun owner leads to potential vulnerability krot-0025 - Lack of EOA check for Noun owner leads to potential vulnerability Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4