Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-07-ARCADE-FINDINGS-ISSUES-415
HistoryJul 28, 2023 - 12:00 a.m.

_getSelector does not return the right selector

2023-07-2800:00:00
Code4rena
github.com
1
vulnerability
corevoting
malfunction
proposal
hash digest
mitigation
JSON

Lines of code

Vulnerability details

Impact

_getSelector(…) function in the CoreVoting.sol will NEVER return the correct function selector of a calldata string. This can lead to malfunction in the system when creating a proposal.

Proof of Concept

The function selector is suppose to be the hash digest of the function and its arguments, however the implemention of _getSelector(…) does not return the first four bytes of the function selector

    function _getSelector(bytes memory _calldata)
        internal
        pure
        returns (bytes4 out)
    {
        assembly {
            out := and(
                mload(add(_calldata, 32)),
                0xFFFFFFFFF0000000000000000000000000000000000000000000000000000000
            )
        }
    }

This happens because 9 hex digit

0xFFFFFFFFF0000000000000000000000000000000000000000000000000000000

are used to mask the calldata instead of 8 digits

0xFFFFFFFF00000000000000000000000000000000000000000000000000000000

Tools Used

Manual review

Recommended Mitigation Steps

change the 9 digits to 8 digit as shown below.

    function _getSelector(bytes memory _calldata)
        internal
        pure
        returns (bytes4 out)
    {
        ...
                mload(add(_calldata, 32)),
                0xFFFFFFFF00000000000000000000000000000000000000000000000000000000
            )
        ...
    }

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

JSON