AdminProxy is the hot spot for all low-level calls, therefore it should do some extra security checks that are currently not in place.
By design a Solidity low level call to a zero address or an EOA (non contract) address will return success true.
The only way to detect whether the success = true is actually indicating the call succeeded is by checking the return data length:
if greater than zero it is definitely a successfull call to a contract function
if zero it must be discriminated
To discriminate in the latter case, the presumed contract address need to be checkd for code length.
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/36477d96788791ff07a1ba40d0c726fb39bf05ec/src/vault/AdminProxy.sol#L15-L26
Vulnerability details
Impact
AdminProxy is the hot spot for all low-level calls, therefore it should do some extra security checks that are currently not in place.
By design a Solidity low level call to a zero address or an EOA (non contract) address will return success true. The only way to detect whether the success = true is actually indicating the call succeeded is by checking the return data length:
To discriminate in the latter case, the presumed contract address need to be checkd for code length.
Proof of Concept
https://github.com/code-423n4/2023-01-popcorn/blob/36477d96788791ff07a1ba40d0c726fb39bf05ec/src/vault/AdminProxy.sol#L15-L26
Tools Used
n/a
Recommended Mitigation Steps
The AdminProxy could be changed as a minimum as follows: