Code4renaCODE423N4:2023-04-EIGENLAYER-FINDINGS-ISSUES-406Vulnerability in Pause Function
Vulnerability details
Impact
An attacker can exploit this vulnerability by setting any value as the new paused status code, which can allow the attacker to circumvent the pausing restrictions and carry out unauthorized actions on the contract. This can lead to significant consequences such as the loss of funds or other assets held by the contract.
Proof of Concept
Okay, so first we need to set up a contract that follows the IPausable interface. This means it should have the pause and unpause functions that are susceptible to being compromised.
pragma solidity ^0.8.0;
import "./IPausable.sol";
contract Attacker {
IPausable public vulnerableContract;
constructor(IPausable _vulnerableContract) {
vulnerableContract = _vulnerableContract;
}
}
So, in this piece of code, weβre creating a contract and passing in another contract as a constructor argument. We store that vulnerable contract instance in a public variable named vulnerableContract. Later on, weβll use this vulnerableContract to execute the pause and unpause functions that are susceptible to attacks.
After that, we proceed to execute an attack by calling the pause function of the vulnerable contract with a value that is not recognized as a valid pause status code. For instance, we could try calling the function with pause(123). In the given code example, our contractβs attack function does exactly that, calling the pause function of the vulnerable contract with an invalid value of 123. This action will cause the paused status of the contract to be set to 123, which is not considered a valid pause status code.
function attack() public {
vulnerableContract.pause(123);
// more code here
}
What happens next is that the pause function of the contract receives the value of 123 as a newPausedStatus argument, and it updates the paused status of the contract with this value. But since 123 is not considered a valid pause status code, the contract is now in an invalid state. Looking at the code snippet provided, we can observe that the pause function is vulnerable. It takes a uint256 type argument called newPausedStatus and sets the value of the _paused variable to the value passed in that argument. However, this code does not validate whether the newPausedStatus argument is a valid pause status code or not.
function pause(uint256 newPausedStatus) external {
_paused = newPausedStatus;
}
Once the contract is left in an invalid state, we can exploit this vulnerability and execute malicious code on the vulnerable contract. For instance, we could attempt to transfer funds out of the contract or perform other unauthorized actions, we can observe a piece of malicious code called maliciousFunction. This function first checks whether the paused status of the vulnerable contract is equal to the invalid value of 123 before proceeding to execute any other code.
function maliciousFunction() public {
require(vulnerableContract.paused() == 123, "Contract is not paused with invalid value.");
}
As we can observe from the code, the attack function in our contract invokes the unpause function of the vulnerable contract, passing in another invalid value of 456. This action will render the contract even more invalid, thus making it harder for anyone to realize that an attack has taken place.
function attack() public {
vulnerableContract.pause(123);
// malicious code here
vulnerableContract.unpause(456);
}
Tools Used
VSCODE
Recommended Mitigation Steps
To fix the problem, the person who owns the contract should change the pause function so that it only accepts certain values that are valid as paused status codes. They should also think about adding extra security measures to limit who can use the pause function. This will help prevent unauthorized actions on the contract.
Assessed type
Other
The text was updated successfully, but these errors were encountered:
All reactions