search

code-423n4 / 2023-01-biconomy-findings

12 stars 10 forks source link

The isContract function in LibAddress that uses EXTCODESIZE can be vulnerable to the "Contract Creation Code Execution" attack #510

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/SmartAccount.sol#L121

Vulnerability details

Impact

It will allow the attacker to potentially execute malicious code in the _implementation contract at https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/SmartAccount.sol#L121

Proof of Concept

https://github.com/code-423n4/2023-01-biconomy/blob/main/scw-contracts/contracts/smart-contract-wallet/SmartAccount.sol#L121


contract Victim {

    function isContract(address account) public view returns(bool){
      uint32 csize;

      assembly {
        size := extcodesize(account)
      }
      return csize != 0;
    }

contract Attacker {

    bool public iTrickedIt;
    Victim v;

    constructor(address _v) public {
        v = Victim(_v);
        // addrss(this) doesn't have code, yet
        iTrickedIt = !v.isContract();
    }

}```

-Deploy Victim
- Deploy Attacker with Victim address
- Check iTrickedIt in Attacker

## Tools Used
Remix

## Recommended Mitigation Steps
Consider using another method than the "isContract()" function from LibAddress or the "isContract()" function from Openzeppelin's library, as both can be vulnerable when checking if the caller is a contract.
c4-judge commented 1 year ago

gzeon-c4 marked the issue as unsatisfactory: Invalid