Closed code423n4 closed 1 year ago
Looks off, some tx are setup for meta-tx, others are not
This seems true and we currently don't support the meta-transactions for governance.
I don't see this as a problem.
If we change it in Managed
it would also have implications on DripsHub which is not a ERC2771Context.
[dispute validity] The governance API should be as simple and self-contained as possible. If 3rd party contracts like Caller turn out to be buggy or malicious, governance should be able to pause and upgrade without any interferences.
CodeSandwich marked the issue as sponsor disputed
I believe the Sponsor side to be valid in terms of disputing a vulnerability
I think the finding is valid as a Non-Critical Refactoring
R
GalloDaSballo changed the severity to QA (Quality Assurance)
GalloDaSballo marked the issue as grade-c
GalloDaSballo marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/AddressDriver.sol#L19 https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/NFTDriver.sol#L19 https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/Managed.sol#L47 https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/Managed.sol#L54
Vulnerability details
Impact
Functions
pause()
,unpause()
,changeAdmin()
,grantPauser()
,revokePauser()
will always fail if called via a forwarder(e.g. Caller)Proof of Concept
RC2771Context
is an implementation ofContext
. The contract can extract the sender of a forwarded transaction from the calldata, which enables users to call the contract through atrustedForwarder
.AddressDriver and NFTDriver both inherit from ERC2771Context, so its functions can be called from forwarder,
_msgSender()
is used instead ofmsg.sender
:However, AddressDriver and NFTDriver also inherit from Managed, which does not support forwarder and always uses
msg.sender
directly:This leads to a bit of a mess between AddressDriver and NFTDriver, with one part supporting the forwarder and the other not.
Tools Used
VS Code
Recommended Mitigation Steps
We should make the Managed contract inherit from
Context
and replace allmsg.sender
with_msgSender()
in it.