Closed code423n4 closed 2 years ago
Incorrect argument entry is out of scope, this is a frontend attack. Almost all contracts have some configuration that if done improperly could be bad.
The sponsor has marked multiple findings as invalid, stating that incorrect arguments aren't in scope https://github.com/code-423n4/2022-05-factorydao-findings/search?q=%22not+in+scope%22++label%3Ainvalid+%22arguments%22&type=issues. However, nowhere in the readme does it mention this. Some wardens spent a lot of time finding and filing issues for things they wouldn't have had this been mentioned in the readme. In some of the issues, funds are at risk. Also, the sponsor mentions things as being invalid due to being a part of the front-end. If someone interacts directly with the contracts, they won't be using the front-end.
The sponsor didn't mark anything invalid. The judge did. The sponsor made the case and the judge either agrees or disagreed.
For parameter induced errors, what a warden should look for is when a error occurs for values that are expected to produce no error.
For instance, take the fictional function
/**
* @dev setting time to zero just returns displacement
*/
function calculateVelocity(uint displacement, uint time) external pure returns (uint) {
return displacement/time;
}
Here, the dev has incorrectly assumed that time=0 will pass when in fact it will revert. A warden should report this.
But now consider the following contract
contract CarStats{
uint8 massOfCarInKg = 1000; //assume 1 ton as default
constructor(uint8 _mass){
mass = mass;
}
function calculateMomentum (uint velocity) external pure returns(uint) {
return velocity*uint(mass);
}
}
If the warden reports that inputting a very high velocity can lead to overflow then they're implying that the user wants a car that can travel many times faster than the speed of light. In this case the report is invalid.
The sponsor is correct that "Almost all contracts have some configuration that if done improperly could be bad." and doesn't have to provide explanation of a universal truth in a README.
Lines of code
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/MerkleIdentity.sol#L89-L107
Vulnerability details
Impact
If
treeAdder
calladdMerkleTree()
ofMerkleIdentity
with wrong values foreligibilityIndex
orpriceIndex
(uninitialized gates index) attacker can create those gate indexes inpriceGateAddress
oreligibilityAddress
(they are permission less) with his own specific parameters and stealNFTs
just by minting a lot for himself or by buying for low prices.Proof of Concept
This is the code of
addMerkleTree()
inMerkleIdentity
:As you can see there is no check that (
eligibilityIndex
ineligibilityAddress
) or (priceIndex
inpriceGateAddress
) are valid gate index and initialized in the past and even there were some checks attacker could still do this by front-running, attacker only needtreeAdder
to set wrong values foreligibilityIndex
orpriceIndex
(uninitialized gates index), then attacker can create gates for those indexes by front-running or normal transactions. (gates can be created by anyone, and attacker create bunch of them in his own contract in one transaction to reach those indexes).If
treeAdder
by mistake set wrong values for them, then attacker can create those gates with specially crafted parameters ineligibilityAddress
orpriceGateAddress
(create enough gates thatnumGates
reacheseligibilityIndex
orpriceIndex
) and manipulate price or minting permission of theNFT
token and steal funds. becasuse for price or minting permissionMerkleIdentity()
calls those gates:Tools Used
VIM
Recommended Mitigation Steps
specifying
eligibilityIndex
orpriceIndex
to identifygates
are not enough, there should be some other variable likecreator
to create link forgates
with (index
,creator
), so this kind of attack in case of wrong values by mistake don't be possible by attacker.