Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-01-CANTO-IDENTITY-FINDINGS-ISSUES-53
HistoryFeb 02, 2023 - 12:00 a.m.

SubprotocolRegistry is vulnerable to malicious names

2023-02-0200:00:00
Code4rena
github.com
10
subprotocolregistry
vulnerability
malicious names
impact
proof of concept
navigation page
mitigation steps
character set
case-insensitive
JSON

Lines of code

Vulnerability details

Impact

A malicious subprotocol can register a name that looks the same as any other protocol.
Users may use the malicious subprotocol because they can’t distinguish the names, and be cheated out of subprotocolFee.

Proof of Concept

Any subprotocol can be registered with any name in SubprotocolRegistry.sol#register().

Suppose a popular subprotocol named “CidExt”.
A malicious user can register malicious subprotocols with names: “CidExt”, “CidExt”, “CIDEXT”, “cidext”, etc.

If users looks up a list of subprotocols on a navigation page, it is difficult to find the correct “CidExt” subprotocol among the similar names.

These malicious subrotocols may allow any user to call CidNFT.sol#add() with it successfully, without having to own the subprotocol NFT in advance.
As a result, if a user select a malicious subprotocol, he will be cheated of the protocol fee when calling CidNFT.sol#add().

Tools Used

Manual

Recommended Mitigation Steps

I recommend limiting the character set for subprotocol name, at least disable blank chars(whitespace, tabs) and be case-insensitive.

The text was updated successfully, but these errors were encountered:

All reactions

JSON