search

code-423n4 / 2022-05-alchemix-findings

5 stars 2 forks source link

The caller can redirect execution to arbitrary bytecode locations - TransmuterBuffer.sol #42

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/TransmuterBuffer.sol#L474 https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/TransmuterBuffer.sol#L482

Vulnerability details

Impact

Solidity supports function types. That is, a variable of function type can be assigned with a reference to a function with a matching signature. The function saved to such variable can be called just like a regular function.

The problem arises when a user has the ability to arbitrarily change the function type variable and thus execute random code instructions. As Solidity doesn't support pointer arithmetics, it's impossible to change such variable to an arbitrary value. However, if the developer uses assembly instructions, such as mstore or assign operator, in the worst case scenario an attacker is able to point a function type variable to any code instruction, violating required validations and required state changes.

Proof of Concept

SWC-127: Arbitrary Jump with Function Type Variable

The caller can redirect execution to arbitrary bytecode locations. It is possible to redirect the control flow to arbitrary locations in the code. This may allow an attacker to bypass security controls or manipulate the business logic of the smart contract. Avoid using low-level-operations and assembly to prevent this issue.

https://swcregistry.io/docs/SWC-127

example tx to reproduce

address: 0x0901d12ebe1b195e5aa8748e62bd7734ae19b51f
gasLimit: 0xec19
gasPrice: 0x3b9aca024
input: 0xfc00000000
origin: 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0
value: 0x0
blockCoinbase: 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0
blockDifficulty: 0x8
blockGasLimit: 0xff0000
blockNumber: 0x0
blockTime: 0x0

Tools Used

mythx

Recommended Mitigation Steps

Should not allow a user to assign arbitrary values to function type variables.

0xfoobar commented 2 years ago

Sponsor disputed

This is an internal function, so cannot be called by end users. All calls to it from external functions are made with explicit function signatures.

0xleastwood commented 2 years ago

Siding with sponsor, this function is handled safely.