Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-08-MIMO-FINDINGS-ISSUES-84
HistoryAug 07, 2022 - 12:00 a.m.

Delegate call can manipulate minGasReserve and the _permissions mapping.

2022-08-0700:00:00
Code4rena
github.com
2
JSON

Lines of code

Vulnerability details

Impact

When the proxy delegatecalls the target contract the target contracts code runs in the proxy’s storage. This means the target code has access to all of proxy’s storage including internal mappings. As a result, the target contracts code can manipulate minGasReserve and the _permissions mapping.

Proof of Concept

target contract implements the setPermission function without the if statement. This allows them to give any address permission.

How its currently coded:

function setPermission(
    address envoy,
    address target,
    bytes4 selector,
    bool permission
  ) public override {
    if (owner != msg.sender) {
      revert CustomErrors.NOT_OWNER(owner, msg.sender);
    }
    _permissions[envoy][target][selector] = permission;
  }

How it can be coded in the target contract:

function setPermission(
    address envoy,
    address target,
    bytes4 selector,
    bool permission
  ) public override {
    _permissions[envoy][target][selector] = permission;
  }

Recommended Mitigation Steps

Store and check both minGasReserve and the _permission mapping similar to the way owner is checked. For the mapping maybe hashing it before and after the delegatecall then comparing the hashes will work.

The text was updated successfully, but these errors were encountered:

👀 1 horsefacts reacted with eyes emoji

All reactions

  • 👀 1 reaction
JSON