Closed code423n4 closed 2 years ago
Mentioned in the readme file :
Some functions of the protocol require admin rights (onlyOwner).
The contracts are owned by the [TimelockController] (https://docs.openzeppelin.com/contracts/4.x/api/governance#TimelockController) contract from OpenZeppelin, set with a >7-days delay. This ensures the community has time to review any changes made to the protocol.
The owner of the TimelockController is a three-party multisignature wallet.
During the next phase of the protocol, the ownership will be transferred to a fully decentralized DAO.
Agree with sponsor - the recommendations the warden described to fix this issue are already in place, so this issue is not valid.
Lines of code
https://github.com/code-423n4/2022-02-nested/blob/fe6f9ef7783c3c84798c8ab5fc58085a55cebcfc/contracts/NestedReserve.sol#L10-L24
Vulnerability details
There are multiple contracts that inherited
OwnableFactoryHandler
, which allows theOwner
of these contracts to add an arbitrary address asfactory
, effective immediately.Therefore, a malicious/compromised
Owner
will be able to call all theonlyFactory
methods.https://github.com/code-423n4/2022-02-nested/blob/fe6f9ef7783c3c84798c8ab5fc58085a55cebcfc/contracts/NestedReserve.sol#L10-L24
https://github.com/code-423n4/2022-02-nested/blob/fe6f9ef7783c3c84798c8ab5fc58085a55cebcfc/contracts/abstracts/OwnableFactoryHandler.sol#L27-L31
PoC
Given:
1000e8 WBTC
is stored inNestedReserve
.A malicious/compromised
Owner
ofNestedReserve
can do the following to steal funds fromNestedReserve
.NestedReserve.sol#addFactory()
and setHackerAddress
asfactory
;NestedReserve.sol#transfer()
with:_recipient
: HackerAddress_token
: WBTC_amount
: 1000e8As a result,
1000e8 WBTC
is stolen by the attacker.A similar attack can be initiated on
NestedRecords
by calling:NestedRecords#addFactory()
->NestedRecords#store()
->NestedFactory#withdraw()
.Recommendation
OwnableFactoryHandler
contracts;addFactory()
should be timelocked;