RACE #32 Of The Secureum Bootcamp Epoch∞

Correct is A, D.

A: When calling the deposit(_token) function, it takes note of the current _token balance and stores it in balanceBefore. Then the depositCallback() function is called on the msg.sender, ie. the caller of the deposit() function. This is intended to allow the msg.sender to transfer some tokens to the InvestmentProtocol contract and return, after which the deposit() function will determine how many tokens the msg.sender sent by computing balanceAfter - balanceBefore.

The problem is that, instead of sending the tokens and returning, the msg.sender could reenter the InvestmentProtocol contract by once again calling the deposit() function. Any balance sent to the contract during the following second call to depositCallback() will be counted for both the first and the second call to deposit(), effectively counting the same balance as two deposits.

This means that the user's balance within the protocol (according to userBalances[msg.sender][_token]) will be double the amount of tokens that the user actually transferred. When the attacker then calls the withdraw() function to obtain their full balance, they actually end up draining tokens that were deposited by other users.

"This is challenging for many security experts to find. In fact, two auditors from our team missed it (though I don’t know whether they really spent much time). The difficulty in finding this reentrancy is not in recognizing that there is reentrancy: there’s a direct call to the msg.sender. The difficulty is in understanding how it can be exploited. The attack is by re-entering and doing another deposit, which causes the deposited amount to be accounted-for twice. The attacker can then call withdraw at whatever later point and get the funds of others. This seems obvious once stated, but it confuses many people because they expect that reentrancy will directly drain funds." ~Yannis

B: From the partial code we have available to us, it appears that, to be able to withdraw, no tokens may be currently invested (require(tokenPoolState.invested == 0)). Therefore an attacker could front-run and block a withdrawal by calling investToken(). However the comment THIS IS SPEC-ED BEHAVIOR, not a race condition! clarifies this to be as-intended.

"I'd say this is all within spec. Clearly this is partial code. But the comments in the code clearly say that withdrawal is not possible after investment starts and that everyone in the world can start investments at any point. So, it's spec-ed behavior that one cannot withdraw because investment has started, via front-running or via any other means." ~Yannis

C: In this Solidity version, integer over- or underflows are only possible within unchecked-blocks of which only one exists within this code's withdraw() function. The fact that a user's balance can never be larger than the tracked total deposited, and that both tokenPoolState.deposited and balance are downcast to uint128, means that no underflow can happen during this subtraction. The fact that unsafe downcasting to uint128 is used does also not pose issues in typical real-world scenarios. The fact that this code appears smelly is intended as a red herring.

"If uint128 overflows, a lot of services are in trouble. Even uint96 is sufficient for top DeFi services (e.g., Uniswap). I would argue this is a non-issue in anything realistic, or an extremely remote issue that would be ignored if found in a report." ~Yannis

D: The investToken() function restricts token recipients using Merkle Tree Proofs. The issue here is that the tree's leaves are 64 bytes large, created by combining two 32 byte values: The _amount and _toId. Merkle Proofs are created for Binary Trees where each two neighbouring nodes (each in the form of 32 byte hashes) are combined into a single 32 byte hash repeatedly until a single hash is obtained, the Root (permissionsRoot). With that it's possible to select any pair of hashes within this tree and use them as _amount and _toId values while still reaching the same expected Root. Therefore we can proof the inclusion of bogus values within the Merkle Tree, causing the funds to be "invested" into the zero address returned by userIdToCurAddress[_toId] due to no valid address having been mapped to the specified bogus ID.

"The second serious bug is the use of 64-byte leaves in the Merkle tree, in investToken. This allows an attacker to take internal nodes of the Merkle tree (whose hash has a known reversal into an input of two other 32-byte hashes) and pretend they are leaves. This enables an attack that can burn all the funds in the contract by sending them to address 0, for all tokens that allow transfers to such an address. This is a less serious problem than the reentrancy in deposit, because of all the above qualifications: the attacker doesn’t stand to gain, and the attack is limited with respect to the token." ~Yannis

Correct is B.

A: See explanation for C in solution of Question 1.

B: See explanation for A in solution of Question 1.

C: See explanation for C in solution of Question 1.

D: While reentering via a token with receiver-callback (eg. ERC-777) would be possible, this would not achieve anything that isn't already possible by simply calling the investToken() function multiple times. This is because the same Merkle leaf can be reused multiple times.

Correct is B.

There are two critical vulnerabilities: The reentrancy in deposit() and the use of 64-byte leaves in the Merkle Tree in investToken() (See the solution of Question 1 for detailed explanations).

While both vulnerabilities allow for a loss of funds, the reentrancy is arguably more critical as it allows the attacker to profit from the exploitation.

Correct is A.

A: See explanation for A in solution of Question 1.

B: In this Solidity version, integer over- or underflows are only possible within unchecked-blocks, of which there are none within the deposit() function.

C: No accounting issue in the absence of other threats.

D: No need for accounting for tokens of non-standard decimals for deposits.

Correct is E.

See explanations for Question 1.

Correct is B, C.

A: See explanation for D in solution of Question 2.

B: The Merkle Tree determines the amount of tokens that may be sent to each investor. These approved amounts are valid across tokens, without taking into account that different tokens may have different decimals.

"A third issue is that the approval in the Merkle tree is for an amount, independent of token decimals, and uniform across tokens. Also that the same Merkle leaf can be reused. These are logic issues that may not be important in real use. E.g., amounts may always be MAX_UINT in practice. Still, this makes (B) a valid additional choice for question Q6. (Though (C) is the answer one definitely expects to see in this question.)" ~Yannis

C: See explanation for D in solution of Question 1.

D: See explanation for B in solution of Question 1.

Correct is D.

The use of encodePacked() on its own is not problematic in this instance. We have no information which OpenZeppelin library version is used.

See detailed explanation for D in solution of Question 1.

Correct is C.

The PoolState struct packs both deposited and invested into a single storage slot. This causes minor inefficiencies when unpacking and separating the data after loading the slot when only one of them was necessary. It would be more inefficient to load two separate storage slots when both attributes of PoolState need to be accessed.

PoolState storage tokenPoolState = totalState[_token];
tokenPoolState.deposited += uint128(actualAmountDeposited);

Replacing storage with memory here would not update the actual value within storage.

"I don't see anything problematic with storage patterns in general, if used correctly, and they are used correctly here. The risk with storage patterns is aliasing (different expressions for the same storage location) and here we have nothing like that."