Reserve contract holds funds corresponding to NFTs. The funds can be accessed by Factory and an ability to immediately switch Factory gives a malicious Owner a way to instantly stole all user's funds.
Proof of Concept
updateFactory function allows for unlimited and immediate update of the Factory contract, which has control of all locked funds via transfer and withdraw functions.
Handle
hyh
Vulnerability details
Impact
Reserve contract holds funds corresponding to NFTs. The funds can be accessed by Factory and an ability to immediately switch Factory gives a malicious Owner a way to instantly stole all user's funds.
Proof of Concept
updateFactory
function allows for unlimited and immediate update of the Factory contract, which has control of all locked funds viatransfer
andwithdraw
functions.https://github.com/code-423n4/2021-11-nested/blob/main/contracts/NestedReserve.sol#L64
Recommended Mitigation Steps
Either make
factory
immutable by allowing changing it only once: Now:To be:
Another way, when Factory updates are planned without explicit funds migration, is to Timelock the
updateFactory
function.