search

code-423n4 / 2022-11-looksrare-findings

0 stars 0 forks source link

The owner of the contract can broke the storage of the LooksRareAggregator contract #270

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/LooksRareAggregator.sol#L132 https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L88

Vulnerability details

Impact

The owner of the contract can broke the storage of the LooksRareAggregator contract

Proof of Concept

The addFunction() function - https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/LooksRareAggregator.sol#L132 can be called by the owner to to set proxy address and function selector for the function to be called inside this proxy. This function is dangerous because LooksRareAggregator performs delegatecall - https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L88 to that address. It is not guaranteed that those new proxies won't rewrite slots in the LooksRareAggregator storage.

Recommended Mitigation Steps

Consider following well-known patterns for proxies management.

Picodes commented 1 year ago

This is the intended design, no PoC.

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Insufficient proof