Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-06-STADER-FINDINGS-ISSUES-308
HistoryJun 09, 2023 - 12:00 a.m.

Anyone Can selfdestruct The VaultProxy Contract.

2023-06-0900:00:00
Code4rena
github.com
5
vaultproxy contract
vulnerability
freeze functionality
initializer modifier
JSON

Lines of code
<https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/factory/VaultFactory.sol#L29&gt;
<https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/factory/VaultFactory.sol#L42&gt;
<https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/factory/VaultFactory.sol#L56&gt;

Vulnerability details

Vulnerability Details

-Since the initialise function is missing initializer modifier (as it’s inteded to be not protected as per ETHx smart contract functions documentation <https://docs.google.com/spreadsheets/d/1IjJ5z9oi9I-ejdRCitJsTT1on0WwjoKlbvurCtlB1KA/edit#gid=643619608&gt;),

  • And Since VaultFactory contract doesn’t initialize the VaultProxy upon its initialization function directly but rather using a separate functions deployWithdrawVault & deployNodeELRewardVault which are protected by onlyRole(NODE_REGISTRY_CONTRACT) modifier,

  • Then any attacker can initilize the VaultProxy contract with a malicious _staderConfig address that has a malicious suicidal ValidatorWithdrawalVaultImplementation address or NodeELRewardVaultImplementation address with a fallback with a selfdestruct function as per the code below:

    contract MaliciousValidatorWithdrawalVaultImplementation {
    fallback() external {
    selfdestruct(payable(0));
    }
    }

Impact

The destruction of the implementation ValutProxy contract would result in the freezing of all the functionalities that point to such an implementation.

Proof of Concept

Instances: 1

File: 2023-06-stader/contracts/VaultProxy.sol
Line 20: function initialise(


File: 2023-06-stader/contracts/factory/VaultFactory.sol
Line 29: vaultProxyImplementation = address(new VaultProxy());

Line 42: VaultProxy(payable(withdrawVaultAddress)).initialise(true, _poolId, _validatorId, address(staderConfig));

Line 56: VaultProxy(payable(nodeELRewardVaultAddress)).initialise(false, _poolId, _operatorId, address(staderConfig));

Tools Used

Manual Testing.

Recommended Mitigation Steps

Protect initialise function in VaultProxy contract by initializer modifier provided by openzeppilin AccessControlUpgradeable library.

Assessed type

Access Control

The text was updated successfully, but these errors were encountered:

All reactions

JSON