Unprotected bridgeIn
and deployHolographableContract
in HolographFactory
are susceptible to replay attacks
#111
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
invalid
This doesn't seem right
Lines of code
https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographFactory.sol#L160
https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographFactory.sol#L192
Vulnerability details
Impact
The creation of a holographable contract in a chain may be replayable in any other chain supported by the Holograph protocol.
The
bridgeIn
ordeployHolographableContract
can be called by anyone using the same parameters that were previously used to deploy a contract in a specific chain to deploy the same contract (that will render the same address) in any other chain.Proof of Concept
Copy the arguments that were used to execute a transaction to
bridgeIn
ordeployHolographableContract
of theHolographFactory
contract in a chain and recreate that same transaction in any other chain.Recommended Mitigation Steps
I can think of two alternatives:
1- Protect the access to the
bridgeIn
function (anddeployHolographableContract
) so that it is only accessible by the bridge. Holographable owners would need to follow a bridging flow to deploy their contracts to other chains.2- Include the
chainId
in the signature and verify it matches the currentchainId
that is executing the transaction. This way a payload/signature won't be replayable in another chain. Note that in this case thechainId
can't be part of the hash that is used as the salt to create2, since it will create contracts with different addresses in different chains. ThechainId
should be included in the hash for signature verification but excluded in the hash for the create2 salt.The text was updated successfully, but these errors were encountered: