Lucene search

HistoryFeb 02, 2023 - 12:00 a.m.

SubprotocolRegistry is vulnerable to malicious names


Lines of code

Vulnerability details


A malicious subprotocol can register a name that looks the same as any other protocol.
Users may use the malicious subprotocol because they can’t distinguish the names, and be cheated out of subprotocolFee.

Proof of Concept

Any subprotocol can be registered with any name in SubprotocolRegistry.sol#register().

Suppose a popular subprotocol named “CidExt”.
A malicious user can register malicious subprotocols with names: “CidExt”, “CidExt”, “CIDEXT”, “cidext”, etc.

If users looks up a list of subprotocols on a navigation page, it is difficult to find the correct “CidExt” subprotocol among the similar names.

These malicious subrotocols may allow any user to call CidNFT.sol#add() with it successfully, without having to own the subprotocol NFT in advance.
As a result, if a user select a malicious subprotocol, he will be cheated of the protocol fee when calling CidNFT.sol#add().

Tools Used


Recommended Mitigation Steps

I recommend limiting the character set for subprotocol name, at least disable blank chars(whitespace, tabs) and be case-insensitive.

The text was updated successfully, but these errors were encountered:

All reactions