Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attacker Can Operate Without Gas #99

Open
hats-bug-reporter bot opened this issue Sep 13, 2024 · 6 comments
Open

Attacker Can Operate Without Gas #99

hats-bug-reporter bot opened this issue Sep 13, 2024 · 6 comments
Labels
bug Something isn't working invalid This doesn't seem right

Comments

@hats-bug-reporter
Copy link

Github username: --
Twitter username: --
Submission hash (on-chain): 0x3ca345215bbf885a0ea3fded4f4ff9376d376cf07673e830734fad89d452b4d7
Severity: medium

Description:
Description
Because of IERC1155Receiver(to).onERC1155Received function, recevier can do its own operations. If user calls operateFlowMatrix and sends circle through attacker, attacker can do it without gas.

Attack Scenario
User call operateFlowMatrix and send circles through attacker.
operateFlowMatrix()=>_callAcceptanceChecks()=>_acceptanceCheck()=>_doSafeTransferAcceptanceCheck()=>IERC1155Receiver(to).onERC1155Received(operator, from, id, value, data)
In this function attacker can do operations but he doesn't consume gas. All gas fee will be paid by user.
For example, he can call personalmint()
In the future, it can cause very dangerous problems like re-entrancy attacks.

Consider to check tx.origin == msg.sender in important public/external functions.

Attachments

  1. Proof of Concept (PoC) File
  1. Revised Code File (Optional)
@hats-bug-reporter hats-bug-reporter bot added the bug Something isn't working label Sep 13, 2024
@benjaminbollen
Copy link

ERC1155 standard

@benjaminbollen benjaminbollen added the invalid This doesn't seem right label Sep 16, 2024
@NicholeConn1024
Copy link

In onERC1155Received function, attacker can call personalMint() like "personalMint() reentrancy attack #8".
So re-entrancy attack is available and attacker can mint without gas.
It's good to consider to check tx.origin == msg.sender.

@benjaminbollen
Copy link

it is generally unadvised to rely on tx.origin. But even then, not an issue. Don't send tokens to an attacker contract.

@NicholeConn1024
Copy link

NicholeConn1024 commented Sep 16, 2024
edited
Loading

It is not bad to check tx.origin == msg.sender.
I know that and I don't recommend to rely on tx.origin.
I think user can trust attacker. Attacker doesn't destroy user's account or steal tokens.
If user trust attacker, attacker can mint without consuming gas and interacting with contract.

@NicholeConn1024
Copy link

I think it can be low risk at least.
Attacker can deceive user and he can mint without interacting with system.

@NicholeConn1024
Copy link

NicholeConn1024 commented Sep 24, 2024
edited
Loading

Attacker can mint without interacting with system. This behavior differs from the intended behavior. So I think it can be low risk.
And it can be solved by using one modifier(check tx.origin == msg.sender) in personal mint function(and other important functions).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@benjaminbollen @NicholeConn1024