The mitigation of H-08 try to validate the vault returned by _market with the VaultRegistry. However, it only validated if the vault exists, but not if it is the correct vault. A similar attack described in code-423n4/2022-12-tessera-findings#47 can be carried out by using a valid vault address that is permissionlessly deployed with VaultRegistry.createFor but have the owner set to the attacker.
(, uint256 id) = IVaultRegistry(registry).vaultToToken(vault);
if (id == 0) revert NotVault();
function execute(
address _target,
bytes calldata _data,
bytes32[] calldata _proof
) external payable returns (bool success, bytes memory response) {
bytes4 selector;
assembly {
selector := calldataload(_data.offset)
}
// Generate leaf node by hashing module, target and function selector.
bytes32 leaf = keccak256(abi.encode(msg.sender, _target, selector));
// Check that the caller is either a module with permission to call or the owner.
if (!MerkleProof.verify(_proof, MERKLE_ROOT(), leaf)) {
if (msg.sender != FACTORY() && msg.sender != OWNER())
revert NotAuthorized(msg.sender, _target, selector);
}
(success, response) = _execute(_target, _data);
}
Also check the owner of the vault
The text was updated successfully, but these errors were encountered:
š 1 OpenCoreCH reacted with thumbs up emoji
All reactions