Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-06-STADER-FINDINGS-ISSUES-241
HistoryJun 09, 2023 - 12:00 a.m.

The _poolId and _id values are not within the expected range and not performing appropriate bounds checking in the VAULTPROXY contract

2023-06-0900:00:00
Code4rena
github.com
5
bounds checking
unexpected functionality
reentrancy attacks
data corruption
validation
invalid input
JSON

Lines of code

Vulnerability details

Impact

When the _poolId and _id values are not within the expected range and appropriate bounds checking is not performed in the contract, it can result in high risk and vulnerabilities. Here are some potential risks and vulnerabilities that can arise:

  1. Invalid or Out-of-Bounds Access: Without proper bounds checking, the contract may allow access to invalid or out-of-bounds elements in an array, mapping, or other data structure. This can lead to unexpected behavior, manipulation of data, or even contract crashes.
  2. Unintended Functionality: If the _poolId or _id values are used to determine different functionalities or logic within the contract, not validating these values can result in unintended operations being performed. Attackers can manipulate these values to bypass intended restrictions or gain unauthorized access.
  3. Reentrancy Attacks: The contract interacts with other contracts based on the _poolId or _id values without proper validation, it may be vulnerable to reentrancy attacks. Attackers can manipulate these values to repeatedly call back into the contract, potentially causing unexpected behavior or loss of funds.
  4. Data Corruption or Loss: Invalid or unexpected values for _poolId or _id can lead to data corruption or loss within the contract. This can impact the integrity of the system, compromise user balances or records, and potentially result in financial losses.

Proof of Concept

A Malicious Attack Contract is created to perform the attack. It takes an instance of the VaultProxy contract as a constructor parameter. The attack function is then called, where malicious values for _poolId and _id are provided that are outside the expected range.
If the VaultProxy contract does not perform appropriate bounds checking, the initialise function will execute without reverting. As a result, the VaultProxy contract will be initialized with invalid and potentially malicious _poolId and _id values.
This can lead to unexpected behavior, incorrect state management, or even allow the attacker to gain control over the contract by manipulating its internal logic based on the invalid values.

Link: <https://github.com/seerether/Stader/blob/main/AttackContract&gt;

Tools Used

Manual

Recommended Mitigation Steps

To mitigate against attacks resulting from _poolId and _id values not being within the expected range and the lack of appropriate bounds checking, you can implement the following measures in the contract

  1. Bounds checking: By using the require statement, the _poolId and _id values are checked to ensure they are within the expected range. You can define appropriate constants like MAX_POOL_ID and MAX_ID to represent the maximum valid values for _poolId and _id respectively.
  2. Validation in the initialise function: The require statements are added in the initialise function to validate the _poolId and _id inputs. If the inputs are outside the expected range, the function will revert with an appropriate error message.
    Link: <https://github.com/seerether/Stader/blob/8066634e67c60dea91c99630be9027485fd34c40/MitigationSteps#L31-L32&gt;

Assessed type

Invalid Validation

The text was updated successfully, but these errors were encountered:

All reactions

JSON