Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Safety Module>Low findings>Deterministic address could be used in front-run
GeneralOverview
Findings
High (3)
Medium (3)
Low (2)Deprivileging manager by ownerDeterministic address
DiscussionCentralized manager
Audit ResultsSummary
Category: Coding Mistakes

Deterministic address could be used in front-run

Low Severity
Low Impact
Low Likelihood

Description

SafetyModule and RewardsManager are deployed from the factory contract. In this process, the factory contract uses the deterministic contract address using salt.

However, salt does not include the caller's data like msg.sender does. In this case, providing the same salt as the input could make the same predicted contract address which could be vulnerable to a front-run attack.

  function createSafetyModule(
    address owner_,
    address pauser_,
    UpdateConfigsCalldataParams calldata configs_,
!   bytes32 salt_
  ) external returns (ISafetyModule safetyModule_) {
    // ...
    ISafetyModuleFactory safetyModuleFactory_ = safetyModuleFactory;
    isSafetyModule[ISafetyModule(safetyModuleFactory_.computeAddress(salt_))] = true;
!   safetyModule_ = safetyModuleFactory_.deploySafetyModule(owner_, pauser_, configs_, salt_);
  }
  function deploySafetyModule(
    address owner_,
    address pauser_,
    UpdateConfigsCalldataParams calldata configs_,
!   bytes32 baseSalt_
  ) public returns (ISafetyModule safetyModule_) {
    // ...
!   safetyModule_ = ISafetyModule(address(safetyModuleLogic).cloneDeterministic(salt(baseSalt_)));
    emit SafetyModuleDeployed(safetyModule_);
    safetyModule_.initialize(owner_, pauser_, configs_);

  function computeAddress(bytes32 baseSalt_) external view returns (address) {
    return Clones.predictDeterministicAddress(address(rewardsManagerLogic), salt(baseSalt_), address(this));
  }

  function salt(bytes32 baseSalt_) public view returns (bytes32) {
    // ...
!   return keccak256(abi.encode(baseSalt_, block.chainid));
  }

Impact

An attacker could front-run deploying functions. If a user of the factory contract does not check for deploying transaction success and interacts with the contract using an address from computeAddress in the factory contract, the user could use a malicious contract.

For example, an attacker could silently add their payout address to change the direction of money movement.

Recommendations

We recommend adding caller (msg.sender) data to salt. It could prevent an attacker from deploying to the same contract address that is expected by the user.

Remediation

Zellic © 2024Back to top ↑