17 matches found
The MIMOVaultActions contract cannot withdraw assets to the user
Lines of code Vulnerability details Impact The MIMOVaultActions contract provides users with the functions of depositing, withdrawing and borrowing assets, which is called by the delegatecall of the MIMOProxy contract. But when borrowing or withdrawing assets, there is no function provided to giv...
Double spend in execute function from the MIMOProxy
Lines of code Vulnerability details There is batch function in MIMOProxy smart contract. The function is inherited from the BoringBatchable contract. The function accept an array of bytes - call parameters, and do delegate call to addressthis for each of the call parameters. There also is execute...
Malicious manipulation of gas reserve can deny access to MIMOProxy
Lines of code Vulnerability details The MIMOProxy contract defines a minGasReserve value as a storage variable: MIMOProxy.solL18: /// @inheritdoc IMIMOProxy uint256 public override minGasReserve; The execute function uses this minGasReserve value to calculate a gas stipend to provide to the targe...
[H1] MIMOProxy can be PWNED by malicious delegate call
Lines of code Vulnerability details Impact PBR proxy owner change protection can bypassed / DoS PoC PRBProxy has a protection to prevent malicious delegatecall to overwrite owner. function executeaddress target, bytes calldata data public payable override returns bytes memory response ... ... //...
If a MIMOProxy owner destroys their proxy, they cannot deploy another from the same address
Lines of code Vulnerability details When deploying a new MIMOProxy, the MIMOProxyRegistry first checks whether a proxy exists with the same owner for the given address. If an existing proxy is found, the deployment reverts: MIMOProxyRegistrydeployFor function deployForaddress owner public overrid...
Inadequate transferOwnership function prevents new owner from accessing funds
Lines of code Vulnerability details Description There are two sources of truth for identifying the account that owns a given MIMOProxy: 1. MIMOProxy.owner 2. MIMOProxyRegistry.getCurrentProxyaddress The first source of truth is only used within the proxy contract itself, and the second source of...
Any permission can be used to execute any code in MimoProxy
Lines of code Vulnerability details Impact If a permission is given in MimoProxy to any function, it can then be abused to whitelist any other msg.sender/function by modifying the permissions mapping. There is a check that the owner was not modified, but no check on permissions which makes sense...
When a user is given the owner privilege of multiple MIMOProxy through transferOwnership, the user cannot choose which MIMOProxy to use as the current Proxy
Lines of code Vulnerability details Impact currentProxies is only set when the user calls the deployFor function of the MIMOProxyRegistry contract, function deployForaddress owner public override returns IMIMOProxy proxy IMIMOProxy currentProxy = currentProxiesowner; // Do not deploy if the proxy...
QA Report
Prevent possible future storage collisions The target action contracts of MIMOProxy.sol use storage slot 0 for immutable addresses, which doesn't currently pose an issue; however, if in future additional contracts are added which allow this slot in storage to be modified then it could open the...
Unchecked Call Return Value
Lines of code Vulnerability details Impact The return value of a message call is not checked. Execution will resume even if the called contract throws an exception. If the call fails accidentally or an attacker forces the call to fail, this may cause unexpected behaviour in the subsequent program...
Overwriting storage slots in MIMOProxy
Lines of code Vulnerability details Impact The MIMOProxy allows you to delegate a call to another contract from a permission of owner. With a delegate call, the entire storage layout is kept the same as it is on MIMOProxy. It means that if the delegate call will be made for smart contract with...
MIMOProxy: The transferOwnership function does not update _currentProxies, which causes the core functionality to not work
Lines of code Vulnerability details Impact When the transferOwnership function of the MIMOProxy contract is called, currentProxiesnewOwner is not updated, which causes getCurrentProxynewOwner to return 0 or the wrong MIMOProxy contract address when newOwner executes the function in the current...
Caller is able to set management params in a MIMOManagedRebalance proxy he doesn't own
Lines of code Vulnerability details Impact A caller is able to set management params with any MIMOManagedRebalance proxy as long as the caller is a vault owner, the caller has deployed a proxy, and the caller is set as a manager of said vault. Proof of Concept Using the MIMOProxy's multi-call, ca...
## [H2] Multicall can be called by a malicious contract after executing a malicious delegatecall
Lines of code Vulnerability details Impact Multicall can be called though a malicious delegate call controlling all function in a vault. PoC This is related to a bug I had reported MIMOProxy can be PWNED by a malicious delegate call where I explain that storage variables can be set in delegate...
Registry not updated when proxy ownership is transferred
Lines of code Vulnerability details Impact When the ownership of a MIMOProxy instance is transferred using the transferOwnership function, the MIMOProxyRegistry contract is not updated, although it is the main entry point of all the workflows, as described in the README.md file. Even after the...
Multicall does not check if the owner has changed after calls has been made(msg.sender misuse)
Lines of code Vulnerability details Impact The multicall doesn't check if the owner has changed after call or calls has been made. The transferOwnerShip contracts/proxy/MIMOProxy.sol/ requires that the owner is the msg.sender, before ownership can be changes, which is exactly what multicall can d...
minGasReserve of MIMOProxy can be overwritten
Lines of code Vulnerability details Impact While there is a check that owner is not changed in a delegatecall, such a check is missing for minGasReserve, which means that the variable can be changed either maliciously or accidentally because of a storage slot collision. The consequences of this a...