Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

franfran20 - Fontaine Creation Could Force Users To Only Unlock Tokens Through Instant Unlocks #69

Open
sherlock-admin2 opened this issue Nov 24, 2024 · 0 comments
Open

franfran20 - Fontaine Creation Could Force Users To Only Unlock Tokens Through Instant Unlocks #69

sherlock-admin2 opened this issue Nov 24, 2024 · 0 comments

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Nov 24, 2024
edited
Loading

franfran20

High

Fontaine Creation Could Force Users To Only Unlock Tokens Through Instant Unlocks

Summary

When a user wishes to unlock their tokens in the FluidLocker contract they have the option of vest unlock or instant unlock(duration of 0), with instant unlock they lose 80% of their locked tokens but with vest unlock they get to keep almost the complete lock amount the longer they spread the unlocking for. The issues arises in the salt value that is used in the create2 for the fontaine BeaconProxy (the address of the locker and the fontaineCount).

This would allow a malicious user to be able to pre deploy and occupy the contract space that the lockers fontaine would initially have been deployed to leading to the vesting unlock to revert.

https://github.com/sherlock-audit/2024-11-superfluid-locking-contract/blob/main/fluid/packages/contracts/src/FluidLocker.sol#L349-L370

Root Cause

The root cause of the issue lies in the fact that the salt values used when deploying the fontaine BeaconProxy are easily predictable. Therefore this allows the attacker to deploy a fontaine BeaconProxy contract to that address and prevents the user from being able to unlock their tokens from their locker asides using the instant unlock method.

https://github.com/sherlock-audit/2024-11-superfluid-locking-contract/blob/main/fluid/packages/contracts/src/FluidLocker.sol#L356

Internal pre-conditions

The locker owner should have some available funds to want to unlock in the locker.

External pre-conditions

The attacker should get the lockers contract address and the current fontaineCount of the locker and deterministically deploy to that address and occupy the contract address for that space.

Attack Path

When the locker owner decides to unlock tokens form his locker contract the function reverts because the fontaine contract cannot be deployed because another contract already occupies that space leading to the function reverting.

Impact

The locker owner is forced to only be able to unlock their tokens through instant unlock since they cannot unlock through the vest unlock because of the fontaine contract creation reverting. This causes the loser to lose 80% of their locked amount.

PoC

No response

Mitigation

Simply use normal deployment methods for the fontaine contract and keep track of them using a mapping.
@sherlock-admin2 sherlock-admin2 changed the title Melodic Opal Crocodile - Fontaine Creation Could Force Users To Only Unlock Tokens Through Instant Unlocks franfran20 - Fontaine Creation Could Force Users To Only Unlock Tokens Through Instant Unlocks Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2