search

code-423n4 / 2022-06-connext-findings

1 stars 0 forks source link

Diamond upgrade proposition can be falsified #241

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/facets/DiamondCutFacet.sol#L16-L29 https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/libraries/LibDiamond.sol#L94-L118 https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/libraries/LibDiamond.sol#L222-L240

Vulnerability details

Impact

Diamond is to be upgraded after a certain delay to give time to the community to verify changes made by the developers. If the proposition can be falsified, the contract admins can exploit the contract in any way of their choice.

Proof of Concept

To determine the id of the proposal, only its facet changes are hashed, skipping two critical pieces of data - the _init and _calldata. During a diamond upgrade, devs can choose what code will be executed by the contract using a delegatecall. Thus, they can make the contract perform any actions of their choice.

Tools Used

Manual analysis

Recommended Mitigation Steps

Add _init and _calldata to the proposition hash.

jakekidd commented 2 years ago

Resolved by https://github.com/connext/nxtp/commit/63badc862f1aea54082c797cee08949a7bb95d9f

0xleastwood commented 1 year ago

I consider this to be severe, however, it does require a malicious or compromised governance. Because of this, I would prefer to have this downgraded to medium severity.