Admin accounts with critical permissions cannot be set to multi-sig wallets at initialization #149
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
invalid
This doesn't seem right
responded
The Holograph team has reviewed and responded
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Comments
code423n4
added
2 (Med Risk)
code423n4
added a commit
that referenced
this issue
Oct 24, 2022
|
As mentioned, it can easily be transferred afterward. |
gzeoneth
added
the
disagree with severity
|
This is a design decision that deployer key is not security key. The deployment pipeline is setup for deployer key to deploy contracts and pass all rights/ownership to multi-sig |
alexanderattar
added
sponsor disputed
53 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L247
https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographBridge.sol#L169
https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographFactory.sol#L147
https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/module/LayerZeroModule.sol#L165
Vulnerability details
Impact
Accounts with critical permissions should be controlled by multi-sig wallets. However, the initialization methods of the listed contracts don't allow setting the initial admin address to a multi-sig.
Proof of Concept
Some contracts use
tx.origin(origin()in assembly syntax) to initialize the admin accounts. Sincetx.originrefers to the first address in the sequence of calls, we know it belongs to an externally owned account (EOA). This is dangerous because a single person can exercise all the associated privileges alone. In particular, any person with access to the original EOA can gain exclusive access by setting the admin address to an account he controls alone. Notice, however, that the admin can also transfer the privileges to a multi-sig after initialization.Further, notice that the
Admin.setAdminfunction does not protect against the zero address and does not implement a two-phase transferal, which can lead to the accidental loss of all admin privileges.Tools Used
VSCode
Recommended Mitigation Steps
Don't use
tx.originto initialize the admin address. It could be turned into a parameter instead. Make sure to align the deployment process accordingly.The text was updated successfully, but these errors were encountered: