Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable contract can be deployed if developer forgets to properly configure admin while extending ERC721H/ERC20H #174

Closed
Tracked by #88
code423n4 opened this issue Oct 24, 2022 · 2 comments
Closed
Tracked by #88

Vulnerable contract can be deployed if developer forgets to properly configure admin while extending ERC721H/ERC20H #174

code423n4 opened this issue Oct 24, 2022 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) invalid This doesn't seem right responded The Holograph team has reviewed and responded sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/abstract/ERC721H.sol#L140-L154

Vulnerability details

Impact

Source contract can be uninitialized with owner value that will lead to vulnerable contract that is not able to call functions with onlyOwner modifier.

Proof of Concept

To create source contract you need to extend ERC721H/ERC20H abstract contract. It has onlyOwner modifier. This modifier is needed to restrict some functions to the owner of source contract as you can see for example here.

Function ERC721H.init is responsible for initializing of source contract. Source contract can also override it. The problem is that ERC721H.init doesn't set owner for the contract.

function init(bytes memory initPayload) external virtual override returns (bytes4) {
    return _init(initPayload);
  }

  function _init(
    bytes memory /* initPayload*/
  ) internal returns (bytes4) {
    require(!_isInitialized(), "ERC721: already initialized");
    address _holographer = msg.sender;
    assembly {
      sstore(_holographerSlot, _holographer)
    }
    _setInitialized();
    return InitializableInterface.init.selector;
  }

Because of this, it's possible that source contract will not provide owner and will not work properly.

Tools Used

Recommended Mitigation Steps

Consider adding hook for extender to provide owner and then check that they did it.

function init(bytes memory initPayload) external virtual override returns (bytes4) {
    return _init(initPayload);
  }

  function _init(
    bytes memory /* initPayload*/
  ) internal returns (bytes4) {
    require(!_isInitialized(), "ERC721: already initialized");
    address _holographer = msg.sender;
    assembly {
      sstore(_holographerSlot, _holographer)
    }
    _setInitialized();
    //you can do like this
    //they should ovveride this
    contractCreatorSetOwner();
    //and then check
    checkThatOwnerIsSet();
    return InitializableInterface.init.selector;
  }
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 24, 2022
code423n4 added a commit that referenced this issue Oct 24, 2022
@code423n4
rvierdiiev issue #174
4bc0b3b
@gzeoneth gzeoneth added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Oct 28, 2022
@gzeoneth
Copy link
Member

not a bug

@alexanderattar
Copy link

This is more of a design suggestion than an issue with the code mentioned

@alexanderattar alexanderattar added sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue responded The Holograph team has reviewed and responded labels Nov 8, 2022
@gzeoneth gzeoneth added the invalid This doesn't seem right label Nov 19, 2022
@ACC01ADE ACC01ADE mentioned this issue Nov 22, 2022
Merged
53 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) invalid This doesn't seem right responded The Holograph team has reviewed and responded sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexanderattar @code423n4 @gzeoneth