Submitted on Mar 6th 2024 at 14:21:15 UTC by @OceanAndThunders for Boost | ZeroLend
Report ID: #29069
Report type: Smart Contract
Report severity: Medium
Target: https://explorer.zksync.io/address/0x54d6F91bE4509826559ad12E1Ca6CA3A6C3811e0
Impacts:
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Hello team,
The repayWithPermit and supplyWithPermit functions on pool contract "0x54d6F91bE4509826559ad12E1Ca6CA3A6C3811e0" uses the permit function for external ERC20 contract, an attacker can front run the permit function , thus the pool.repayWithPermit and pool.supplyWithPermit will automatically reverts, allows a chain call/transaction all be griefed
The pool contract "0x54d6F91bE4509826559ad12E1Ca6CA3A6C3811e0" allows the user to supply with permit to external contract by providing the permit hash to pool.repayWithPermit, this later will call external token with the given permit bytes, the functions repayWithPermit and supplyWithPermit will revert if the attacker front runs the token.permit with the victim's bytes, the first call will succeed and consumes the nonce, thus the pool.repayWithPermit (the original call) will revert then, the call/transaction will be reverted all the way
Denying users from using the pool.repayWithPermit and pool.supplyWithPermit properly
Example explanation of the issue : https://www.trust-security.xyz/post/permission-denied
In this test "https://github.com/zerolend/core-contracts/blob/146f7bc50b8b9850cf9048989cd734e51c400b48/test-suites/pool-l2.spec.ts#L382" include this line at 411 (as the attacker called the permit before the protocols call usdc.permit) :
// extracteting v, r, s from the mempool and calling the usdc.permit before pool.repayWithPermit
//the usedc.permit call should succeed, thus it will rsults for the pool.repayWithPermit call failure
await usdc.permit(deployer.address,l2Pool.address,amount.toString(),highDeadline,v,r,s);
This will makes the function reverts !
Regards,
Adam