When the proxy delegatecalls the target contract the target contracts code runs in the proxy’s storage. This means the target code has access to all of proxy’s storage including internal mappings. As a result, the target contracts code can manipulate minGasReserve and the _permissions mapping.
target contract implements the setPermission function without the if statement. This allows them to give any address permission.
How its currently coded:
function setPermission(
address envoy,
address target,
bytes4 selector,
bool permission
) public override {
if (owner != msg.sender) {
revert CustomErrors.NOT_OWNER(owner, msg.sender);
}
_permissions[envoy][target][selector] = permission;
}
How it can be coded in the target contract:
function setPermission(
address envoy,
address target,
bytes4 selector,
bool permission
) public override {
_permissions[envoy][target][selector] = permission;
}
Store and check both minGasReserve and the _permission mapping similar to the way owner is checked. For the mapping maybe hashing it before and after the delegatecall then comparing the hashes will work.
The text was updated successfully, but these errors were encountered:
👀 1 horsefacts reacted with eyes emoji
All reactions