Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IsContract Function Usage #72

Open
code423n4 opened this issue Dec 8, 2021 · 3 comments
Open

IsContract Function Usage #72

code423n4 opened this issue Dec 8, 2021 · 3 comments
Labels
0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation bug Something isn't working sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Handle

defsec

Vulnerability details

Impact

the isContract function that uses EXTCODESIZE was discovered to be hackable. The function will return false if it is invoked from a contract's constructor (because the contract has not been deployed yet).

The code should be used very carefully, if at all, to avoid security hacks such as:

https://www.reddit.com/r/ethereum/comments/916xni/how_to_pwn_fomo3d_a_beginners_guide (archive)

Proof of Concept

Navigate to "https://github.com/maple-labs/proxy-factory/blob/main/contracts/ProxyFactory.sol#L64" & "https://github.com/maple-labs/proxy-factory/blob/main/contracts/ProxyFactory.sol#L56" & "https://github.com/maple-labs/proxy-factory/blob/main/contracts/ProxyFactory.sol#L47" & "https://github.com/maple-labs/proxy-factory/blob/main/contracts/ProxyFactory.sol#L20"

The function is allowed with isContract modifier.
However this is vulnerable implementation.
The sample code can be seen below.

Tools Used

None

Recommended Mitigation Steps

If you want to make sure that an EOA is calling your contract, a simple way is require(msg.sender == tx.origin). However, preventing a contract is an anti-pattern with security and interoperability considerations. (ethereum/solidity#683 - https://ethereum.stackexchange.com/questions/1891/whats-the-difference-between-msg-sender-and-tx-origin)

@code423n4 code423n4 added 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working labels Dec 8, 2021
code423n4 added a commit that referenced this issue Dec 8, 2021
@lucas-manuel
Copy link
Collaborator

We are aware of this, do not think its an issue, and wont address.

@lucas-manuel lucas-manuel added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Dec 8, 2021
@deluca-mike
Copy link
Collaborator

deluca-mike commented Dec 9, 2021

Also, there are no mitigation steps, and the ones proposed are much worse than the "problem". The contract existence checks used are not there to blacklist EOAs, but actually to prevent low-level calls and delegatecalls to functions at addresses without contract code, which would result in erroneous successes.

@deluca-mike deluca-mike added the invalid This doesn't seem right label Dec 9, 2021
@pauliax
Copy link
Collaborator

pauliax commented Dec 18, 2021

Agree with sponsors, the avoidance of EXTCODESIZE is a pretty well-known problem, but here I don't think it poses serious security issues, the warden hasn't provided any real attack path, only theoretical considerations. I am marking this issue as a non-critical recommendation.

@pauliax pauliax added 0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation and removed invalid This doesn't seem right 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments labels Dec 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation bug Something isn't working sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Development

No branches or pull requests

4 participants