Lines of code
<https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/features/Blocklist.sol#L23>
Users can create an un-bannable contract by working from a contractβs constructor and then self-destructing on each instantiation.
Users can also deterministically deploy the contract to the same address every time they want to interact with fiatDAO contracts by using the create2 function to deploy.
Please always remember that contracts calling external functions from their constructor always have a 0 extcodesize, which _isContract relies on.
Example of a contract that could never be banned (because extcodesize is always 0 for this contract);
we can deterministically deploy this contract to same address using create2 and make arbitrary calls to fiatDAO:
contract Attacker {
constructor(address addrs, bytes[] memory callDatas) {
for (uint i; i < callDatas.length; i++) {
addrs.call(callDatas[i]);
}
selfdestruct(payable(msg.sender));
}
}
solidity
I recommend allowing the blocklist to ban all types of addresses, you really canβt control how users prepare their malicious smart contracts. The isContract check is kind of an arbitrary guard that users can get around.
The text was updated successfully, but these errors were encountered:
All reactions