Disclosure: New LandWorks facets deployed to improve the security of the protocol

TLDR: EnterDAO has improved the security of LandWorks by leveraging the community brains and the bug bounty program.

Summary

On January 26 2022, around 8:50 PM EET, while reviewing LandWorks contracts, @nachomazzara, found a vulnerability and reached out privately to the EnterDao team to disclose it.

No user funds have been lost, no users were (or are) at immediate risk of losing funds. The vulnerability has not been exploited.

Vulnerability

LandWorks allows Decentraland LAND/ESTATE owners to list their properties for rent. Users are able to rent listed land by executing a rent function. The method signatures are the following:

/// @notice Rents an asset for a given period
/// Charges user for the rent upfront. Rent starts from the last
/// rented timestamp or from the current timestamp of the
/// transaction
/// @param _assetId The target asset
/// @param _period The target rental period (in seconds)
function rent(uint256 _assetId, uint256 _period) external

The vulnerability is present during a race condition that can happen if the attacker front runs the renter. If a renter is paying for the rent in an ERC-20, they are executing approve transaction which authorises LandWorks to spend the renter’s ERC-20 funds. When a renter is executing the rent transaction, a malicious lender can submit a transaction updating the conditions of the lending (e.g changing the token in which the rent is paid or the amount to be paid to be way higher). The updateConditions transaction can be executed before the rent transaction is executed, thus changing conditions under which the lender wanted to rent the property. This can result in the renter getting the approved ERC-20 balance drained when renting the property.

Mitigation

Immediately after the disclosure, the team redeployed the LandWorks UI with a new version that does not perform maximum approval for ERC-20 tokens. This guaranteed that no user will be at risk of losing their funds while we were working on a fix on the protocol level.

The team implemented a new Marketplace and Decentraland facets tested the updates and deployed the new versions. The updates contain a new function signature containing the specific paymentToken and amount.

/// @notice Rents an asset for a given period
/// Charges user for the rent upfront. Rent starts from the last
/// rented timestamp or from the current timestamp of the
/// transaction
/// @param _assetId The target asset
/// @param _period The target rental period (in seconds)
/// @param _paymentToken The current payment token for the asset    /// @param _amount The target amount to be paid for the rent    function rent(
    uint256 _assetId,
    uint256 _period,
    address _paymentToken,
    uint256 _amount
) external

Through this update, the vulnerability is mitigated since the rent function requires renters to explicitly specify the token and amount they are expecting to pay. If the parameters do not match the listing, the transaction reverts.

Bug Bounty

Protocol security is a top priority for the EnterDAO team and that’s why we have set up bug bounties for every medium/high or critical issue found and reported as stated in the docs.

We are thankful to @nachomazzara for reviewing LandWorks contracts and reporting the vulnerability. We have executed our bounty program accordingly.

Admin Keys and DAO Ownership

The LandWorks protocol is based on the EIP-2535 Diamond standard pattern allowing upgradeability. The long term vision has always been to grant the ownership of the protocol to the EnterDAO Governance contract as stated in the whitepaper.

Now that several weeks have elapsed since the launch of the protocol, the team will be transferring the ownership of the protocol to the EnterDAO Governance contract as initially intended and the protocol will be in the hands of the EnterDAO token holders!