Open code423n4 opened 1 year ago
It is a correct observation, but submission does not state any actual impact caused by this. In fact, this removes the compiler metadata stored at the end of the contract, which means the contract may not be verified successfully on etherscan. For High risk, submission must attempt to demonstrate funds at risk, which is very far from the case.
Really nice finding! Will have to study attack surface further, don't really see how this could create a risk for funds (fwiw, we're aiming to have verification by "Similar bytecode" on etherscan, as the canonical contract will be the verified ones - they do have the metadata at the end, the only remaining unknow is therefore if etherscan checks them or just the runtime bytecode)
Really nice finding! Will have to study attack surface further, don't really see how this could create a risk for funds (fwiw, we're aiming to have verification by "Similar bytecode" on etherscan, as the canonical contract will be the verified ones - they do have the metadata at the end, the only remaining unknow is therefore if etherscan checks them or just the runtime bytecode)
So yeah, after trying, the only thing at stake here is lack of similar bytecode verification possibility - thanks:)
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-a
Lines of code
https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateDeployer.sol#L83 https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateDeployer.sol#L115
Vulnerability details
Vulnerability details
Description
Function
deployDelegateFor
in theJBTiered721DelegateDeployer
deploys a copied bytecode from the reference smart contracts. That's implemented in the_clone
function. Specifically, it is saved in the memory init code and concatenated with the copied bytecode.Concatenated creation code stored in the
_freeMem
and has13 + _codeSize
bytes length. However, the bytecode that is gonna be deployed has only_codeSize
.So, the
_copy
method deploys not the copied bytecode, but the bytecode without the last 13 bytes.Recommended Mitigation Steps
Deploy full bytecode, by