Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MED: Holographer contract may be destructed using delegatecall to trusted address - Holographer's fallback(), HolographERC721's fallback() #494

Closed
Tracked by #88
code423n4 opened this issue Oct 25, 2022 · 3 comments
Closed
Tracked by #88

MED: Holographer contract may be destructed using delegatecall to trusted address - Holographer's fallback(), HolographERC721's fallback() #494

code423n4 opened this issue Oct 25, 2022 · 3 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax responded The Holograph team has reviewed and responded sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/enforcer/Holographer.sol#L229

Vulnerability details

Description

The Holograph contracts use delegatecall pattern to execute enforcers from Holographer. In the Holographer fallback, getHolographEnforcer is called to calculate a delegatecall destination:

 function getHolographEnforcer() public view returns (address) {
    HolographInterface holograph;
    bytes32 contractType;
    assembly {
      holograph := sload(_holographSlot)
      contractType := sload(_contractTypeSlot)
    }
    return HolographRegistryInterface(holograph.getRegistry()).getReservedContractTypeAddress(contractType);
  }

The issue is that a malicious / compromised admin can update the registry and make getReservedContractTypeAddress() return an arbitrary address. From there, they are able to do anything, from destroying the contract to re-distributing the balances as they see fit.

Impact

Rogue registry represents a major centralization risk which will always exist in each deployed contract.

Tools Used

Manual audit

Recommended Mitigation Steps

Unless explicitly asked by deployer, make the calculated Enforcer be set in stone after the initialization stage.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 25, 2022
code423n4 added a commit that referenced this issue Oct 25, 2022
@code423n4
Trust issue #494
2bb4742
@gzeoneth gzeoneth mentioned this issue Oct 31, 2022
Closed
@gzeoneth gzeoneth added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Oct 31, 2022
@gzeoneth
Copy link
Member

Could be Low/QA, centralization risk

@alexanderattar
Copy link

This is a design decision and the admin key will be a multi-sig to manage upgrades securely

@alexanderattar alexanderattar added sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue responded The Holograph team has reviewed and responded sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons and removed sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue labels Nov 8, 2022
@gzeoneth gzeoneth added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Nov 19, 2022
@gzeoneth
Copy link
Member

Consider with #433

@gzeoneth gzeoneth added the duplicate This issue or pull request already exists label Nov 21, 2022
@ACC01ADE ACC01ADE mentioned this issue Nov 22, 2022
Merged
53 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax responded The Holograph team has reviewed and responded sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexanderattar @code423n4 @gzeoneth