Proxy Contract Vulnerability

[captnseagraves]

Credit to Liam Zebedee for finding this bug

The following is from Liam's email notifying us of the vulnerability:

1) Subscription contract does not check for “deduction” in funds after calling the token contract.

Exploit mechanism: proxy contracts.

Since a contract’s address is based on the deployed ABI of the contract, but not the contract’s storage, an attack vector I’ve decided to exploit is creating a contract which adheres to the ERC20 interface but whose functionality can be changed to the Subscription contract’s direct disadvantage.

The Subscription contract uses the return value of ERC20.transferFrom to ascertain whether executeSubscription was successful. The token address of Subscription cannot be changed, but the underlying contract can.

The example attached is a proxy contract using delegate call. The first contract can function like a real ERC20 token, only later to be replaced with one which always returns true from transferFrom. 

Solutions: A possible fix would be to check the balance before and after, rather than relying on the value of transferFrom.

Example code for proxy contract is here.
https://gist.github.com/liamzebedee/5c2afd3a24bb840744ab9cf149055738```

[owocki]

@austintgriffith is it worth patching this?