search

MetaMask / metamask-extension

:globe_with_meridians: :electric_plug: The MetaMask browser extension enables browsing Ethereum blockchain enabled websites
https://metamask.io
Other
11.96k stars 4.9k forks source link

[Bug]: Ethereum Integer Overflow "Gas Free" Minting RPC Backdoor #15132

Closed ghost closed 2 years ago

ghost commented 2 years ago

Describe the bug

Solidity Hacking: Integer Overflow

Integer overflows and wraparounds are featured on the Most Common Weakness Enumeration (CWE) list of the most common bugs, faults, or errors for hardware and software. Integer overflows occur when a value exceeds the maximum value that a variable can contain, and integer overflows happen when a value becomes too small to fit. This results in an unsigned variable that constrains the maximum value that it can hold.

Integer Overflow in Ethereum

In Solidity, you can perform many different operations with numbers. This common issue is present in multiple Ethereum, Arbitrum, BNB Smart Chain, and Polygon networks including Ethereum Test networks such as Ropsten, Kovan, Rinkeby, and Görli.

There are two types of integers in Solidity:

60e2b4ccbb7c493f9aa23e4e_1 v1Kp3-rqU1TKzxBqmASv_A

Steps to reproduce

  1. Connect Metamask to Web3 (Etherscan, Bscscan, Polyscan)
  2. Edit the smart contract with #WriteProxyContract
  3. For batchTransfer type -1

Attacker performs -1 request with mint, transfer, transferFrom, batchTransfer

Error messages or log output

POST / HTTP/2
Host: polygon-rpc.com
Content-Length: 452
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"
Accept: application/json
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Origin: chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn
Sec-Fetch-Site: none
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{"id":6078673470407,"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0x02f8b48189038506fda080818506fda08081840183e0c99424834bbec7e39ef42f4a75eaf8e5b6486d3f0e5780b844a9059cbb00000000000000000000000023bff60d74d558119d92d059b9dab91a63afa5a5ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc001a069d447b8f1610cce3d397ec9c68e4a3d806df6824dde637e4c5c5fa226cb0126a037e42699e209b8d653332cfb41c80560a33cf4677ad1b02aa6f5c9b170fb37d5"]}

Version

10.14.7

Build type

No response

Browser

Firefox

Operating system

Linux

Hardware wallet

Ledger, Other (please elaborate in the "Additional Context" section)

Additional context

Using Integer Overflow to Perform an Attack on Ethereum Network (Related Issues)

overflow

beautychain

bschorchit commented 2 years ago

Hey @jilky, thanks for submitting this, but team has already provided feedback for this through HackerOne. Reiterating it here:

I agree that there exists some contracts on every EVM-based chain that are susceptible to {over,under}flow attacks, however this is not a security concern of the MetaMask product as we do not control those vulnerable smart contracts.