reference-client icon indicating copy to clipboard operation
reference-client copied to clipboard

Published 20 hours ago verified publisher icon EthereumOpenSubscriptions

Re-entrancy Vulnerablility

Open captnseagraves opened this issue 6 years ago • 0 comments

Credit to Liam Zebedee for finding this bug

The following if from Liam's email notifying us of the vulnerability:

Exploit mechanism: Re-entrancy attacks

If the ERC20.transferFrom call is re-entrant, meaning it will maliciously call back into the Subscription, it is possible to exploit some facts:

//increment the timestamp by the period so it wont be valid until then
        nextValidTimestamp[subscriptionHash] = block.timestamp.add(periodSeconds);

This is executed before transferFrom - so a malicious actor (who specifically has engineered their own proxy contract to with a valid nonce/sig for re-entrant calls) can effectively extend their subscription period by periodSeconds every call. Infinite Netflix anyone?

captnseagraves avatar Oct 23 '18 19:10 captnseagraves