Lines of code
<https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/AddressDriver.sol#L19&gt;
<https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/NFTDriver.sol#L19&gt;
<https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/ImmutableSplitsDriver.sol#L11&gt;
<https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/Managed.sol#L157-L161&gt;

Vulnerability details

Impact

Proxy admin of DripsHub, AddressDriver, NFTDriver and ImmutableSplitsDriver can perform different malicious actions through upgrading, all can lead to users’ assets being stolen.

Proof of Concept

An upgradable proxy contract can be upgraded with arbitrary functionality. This allows the admin of the proxy to perform malicious actions.

In order to use the drivers(AddressDriver, NFTDriver, and ImmutableSplitsDriver), users will allow them to spend their tokens.
Therefore, the proxy admin can upgrade these drivers with a malicious contract to steal tokens from users’ wallets, just need to call transferFrom of the tokens.

Most of users’ tokens will be transferred to DripsHub for dripping.
Therefore, the proxy admin can upgrade DripsHub with a malicious contract to steal tokens in it, just need to call transfer of the tokens.

Tools Used

Manual

Recommended Mitigation Steps

I recommend making these contracts un-upgradable.

The text was updated successfully, but these errors were encountered:

All reactions