Post-Mortem: 9/7/23 - Forced Cancel Unlock

This is a post-mortem document describing a high severity [1] bug that was fixed on 9/7/23.

Summary

A vulnerability in the TicketBroker contract used to process winning tickets as a part of the probabilistic micropayment (PM) protocol was reported to the core team on 8/12/23 by a whitehat hacker, via Livepeer’s Immunefi bug bounty program. This vulnerability, if exploited, would have allowed an attacker to forcibly cancel a broadcaster’s unlock request thereby preventing the broadcaster from withdrawing funds from its deposit and reserve. No funds were at risk of direct theft, but an exploit could have prevented broadcasters from withdrawing funds.

Vulnerability

Description

An attacker would have been able to grief a broadcaster by forcibly cancelling their unlock request by calling fundDepositAndReserveFor() with _addr set to the broadcaster’s address. The cost of the attacker’s transaction is the gas fees of the transaction.

Potential Impact

The impact on a broadcaster every time this attack is executed is that the broadcaster’s withdraw round is reset such that the broadcaster would need to initiate another unlock request that restarts the timer for the unlock period until the broadcaster can withdraw funds.

This attack is repeatable so a broadcaster could be consistently unable to withdraw funds.

Likelihood of Exploitation

The primary motivation of the attacker would be to grief broadcasters by preventing them from withdrawing funds.

At the technical level, an attacker would need to selectively target broadcasters that wish to withdraw and that have initiated unlock requests.

At the capital cost level, each attack would cost gas fees.

At the time of writing, there were 14 broadcasters.

Mitigation

Description

The fix for the vulnerability was a additional conditional statements that ensured that a third party caller (i.e. not msg.sender) cannot cancel a broadcaster’s unlock request when funding the broadcaster’s deposit and/or reserve.

Takeaways

The vulnerability could have been prevented with a more thorough review of the space of allowable actions for a third party caller made in the fundDepositAndReserveFor() function and additional test cases for each of the allowable actions for the third party caller.

In the future, when introducing any new functionality that allows addresses to call functions on behalf of broadcasters all test cases will take into account the entire space of allowable actions for the third party caller ensuring that the third party caller has the required restricted privileges.

Conclusion

The core team thanks the Immunefi whitehat hacker for their responsible disclosure of this vulnerability which helped safeguard the users of the Livepeer network. They have been awarded a bug bounty payout for the disclosure based on the guidelines for reward amounts of high vulnerabilities in the bug bounty program.

[1] As classified based on the severity system used for the Immunifi bug bounty program.

3 Likes