Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #231

Open
code423n4 opened this issue Jun 19, 2022 · 3 comments
Open

QA Report #231

code423n4 opened this issue Jun 19, 2022 · 3 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

code423n4 commented Jun 19, 2022
edited by 0xleastwood
Loading

In all of proxy pattern contracts (BridgeToken, LPToken, StableSwap, TokenRegistry, PromiseRouter,...) the implementation contract don't initialized

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/LPToken.sol#L13-L27
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/StableSwap.sol#L31-L116

Vulnerability details

Impact

In proxy pattern if the initialization contract don't get initialized then attacker can initialize it and get access to it's admin level functionalities and with logics like self-destruct it can harm the protocol. it's safer to initialize all the implementation contracts too.

Proof of Concept

There is no constructor in contracts to set the state of implementation contract to initialized in BridgeToken, LPToken, StableSwap, TokenRegistry, PromiseRouter and others..
attacker can call initialize() method for implementation contract and take control of it and if there were some logics like self-destruct or ... attacker can use it harm protocol.

Tools Used

VIM

Recommended Mitigation Steps

add constructor and set implementation contract state to initialized
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jun 19, 2022
code423n4 added a commit that referenced this issue Jun 19, 2022
@code423n4
unforgiven issue #231
1095f62
@LayneHaber
Copy link
Collaborator

These contracts all have the following modifier attached to the initialize functions:

modifier initializer() {
        bool isTopLevelCall = _setInitializedVersion(1);
        if (isTopLevelCall) {
            _initializing = true;
        }
        _;
        if (isTopLevelCall) {
            _initializing = false;
            emit Initialized(1);
        }
    }

These functions then do update an internal variable marking whether the contract has been initialized to true. The constructors were dropped according to the best practice of writing upgradeable contracts outlined here

@LayneHaber LayneHaber added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Jun 24, 2022
@0xleastwood
Copy link
Collaborator

While the warden's issue has some truth to it, this would only be a concern if the user who initialized the implementation contract could arbitrarily delegatecall and self-destruct the contract. Because there is no way to directly exploit this, I think it would be fair to downgrade this to QA.

@0xleastwood 0xleastwood added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue labels Aug 2, 2022
@0xleastwood 0xleastwood changed the title In all of proxy pattern contracts (BridgeToken, LPToken, StableSwap, TokenRegistry, PromiseRouter,...) the implementation contract don't initialized QA Report Aug 2, 2022
This was referenced Aug 13, 2022
Closed
Open
Closed
Closed
@LayneHaber
Copy link
Collaborator

LayneHaber commented Aug 19, 2022
edited
Loading

see comment here from previously merged issue!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LayneHaber @0xleastwood @code423n4