search

code-423n4 / 2023-04-eigenlayer-findings

1 stars 1 forks source link

`isContract()` is not a reliable way of checking if the input is an EOA #415

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/Layr-Labs/eigenlayer-contracts/blob/dbeb85bcd0476e06b8feebf07e33f8a53d54c029/src/contracts/core/StrategyManager.sol#L289

Vulnerability details

Impact

depositIntoStrategyWithSignature is checking if the msg.sender is EOA or the contract and it is doing it by check isContract() which is not right

Proof of Concept

The isContract() check can be passed even though if msg.sender is a smart contract if

Function is called in the constructor. isContract() checks for the code length, but during construction code length is 0.

Smart contract that has not been deployed yet can be used. The CREATE2 opcode can be used to deterministically calculate the address of a smart contract before it is created. This means that the user can bypass this check by calling this function before deploying the contract.

here is another Medium issue with the same title https://solodit.xyz/issues/5925

Tools Used

Manual Review

Recommended Mitigation Steps

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as primary issue

c4-sponsor commented 1 year ago

Sidu28 marked the issue as sponsor disputed

Sidu28 commented 1 year ago

There is no attack vector here. An attempted attacker can at best revert their own transaction.

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Invalid

GalloDaSballo commented 1 year ago

The vulnerability would be the oppsite, usage in context is fine