Detailed description of the impact of this finding.
External calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. To minimize the damage caused by such failures, it is better to isolate each external call into its own transaction that can be initiated by the recipient of the call. This is especially relevant for payments, where it is better to let users withdraw funds rather than push funds to them automatically (this also reduces the chance of problems with the gas limit).
Provide direct links to all referenced code in GitHub.
https://github.com/GenerationSoftware/remote-owner/blob/285749ab51e98afc8ebb4e4049a4348d669a3e9d/src/RemoteOwner.sol#L67
(bool success, bytes memory returnData) = target.call{ value: value }(data);
Add screenshots, logs, or any other relevant proof that illustrates the concept.
POC
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;
import { RemoteOwner } from "/Users/williamsmith/Documents/2023-08-pooltogether/remote-owner/src/RemoteOwner.sol";
contract AttackRemoteOwner {
RemoteOwner public target;
constructor(RemoteOwner _target) public
{
target = RemoteOwner(_target);
}
function attack(RemoteOwner _target) public payable {
target.execute(address(target), 111 ether, "Ox20");
}
}
NB: Victim address in this test case is 0x5B38Da6a701c568545dCfcB03FcB875f56beddC4
Test Case
VS Code
Avoid using the call function.
use require statement on call.
DoS
The text was updated successfully, but these errors were encountered:
All reactions