Closed code423n4 closed 1 year ago
Thinking QA, because the addition will revert
I think in this edge case counterSlot > (2^224-1)
the addition will change the driverId
as well and the setSplits
will revert because the Driver doesn't own the driverID.
2^224
is very large and this scenario is very unlikely to reach.
We could add a cast check here just for cleanness in the code.
Recommendation: low
[dispute validity] The attack requires calling a contract 2^224 times. It's simply not possible, the entire humankind probably hasn't performed that many computational operations in its entire existence, let alone on a single blockchain. If you have a power capacity like this, you can just preimage the DripsHub address and drain all the assets held by it.
CodeSandwich marked the issue as sponsor disputed
Per the Sponsors comment this is a theoretical attack, I believe the finding can be awarded as informational, with an understanding that this cannot be performed in practice
NC
GalloDaSballo changed the severity to QA (Quality Assurance)
GalloDaSballo marked the issue as grade-c
2L 1NC after accounting for dups
Lines of code
https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/ImmutableSplitsDriver.sol#L53-L68
Vulnerability details
Title
It is possible for the bits used to store
driverId
inuserId
to be corruptedImpact
While it is unlikely that
counterSlot
exceeds uint224, we must note thatcreateSplits()
is a function callable by by anyone, and it can be used to increase the value perpetually. Furthermore, should corruptibility happen, it will mess up access control granted to userIds.Proof of Concept
userId
storesdriverId
in the first 32 bits and_counterSlot
in the next 224 bits. However, we note that_counterSlot
isuint256
value.Each time a split is created, value of
counterSlot
increases by one. This is a public function callable by any users. It is possible for the value to exceed uint224.max. IfcounterSlot > uint224.max
, when we do the sum(uint256(driverId) << 224) + StorageSlot.getUint256Slot(_counterSlot).value
, thedriverId
part userId will be corrupted and changes based on what is being added, but it is supposed to be fixed.This is an issue as the modifiers
onlyDriver
andassertCallerIsDriver
relies on thedriverId
to facilitates access control. It will mess up the permissions granted to userIds that are affected, possibly giving access to those not allowed, or removing access from those allowed.Tools Used
Manual Review
Recommended Mitigation Steps
Consider using uint224 for
_counterSlot
instead.