Open code423n4 opened 1 year ago
0xSorryNotSorry marked the issue as primary issue
AustinGreen marked the issue as sponsor acknowledged
AustinGreen marked the issue as disagree with severity
We acknowledge the risk of allowing delegatecalls in LlamaAccounts. Llama instances are standalone governance systems and they can call any function that they choose whether it's a call or delegatecall. It's up to the instance's governance to determine which targets and functions are permissioned. For these reasons we believe this should be a low severity issue.
We're exploring the possibility of implementing mitigation recommendation 2 (Deploy each LlamaAccount independently without a proxy-implementation pattern). The approach described in 1 would conflict with how token approvals/transfers work. We aim to reduce risk surface area without removing features from our users. If we're able to avoid deploying accounts as minimal proxies, then we will make this change.
To clarify my comment above, we think this is ok as informational severity but not higher. It is the intended design of the system to allow delegatecalls and this would require user error.
I agree, ultimately a delegatecall basically allow you do anything as the executor already.
gzeon-c4 changed the severity to QA (Quality Assurance)
gzeon-c4 marked the issue as grade-b
Hi, my issue #99 is marked repeat with this, leaving a few comments here, clarification how to bypass the goverment for the attack.
The main idea is that the contract code is variable, so malicious users can use create2 + selfdestruct / upgradable contract
to implement the attack.
After DAO members review the code, vote it and then use the contract's variability for malicious attacks.
In light of the recent governance incident with Tornado Cash, I think the attack is possible.
Hi, my issue #99 is marked repeat with this, leaving a few comments here, clarification how to bypass the goverment for the attack. The main idea is that the contract code is variable, so malicious users can use
create2 + selfdestruct / upgradable contract
to implement the attack. After DAO members review the code, vote it and then use the contract's variability for malicious attacks. In light of the recent governance incident with Tornado Cash, I think the attack is possible.
that's already considered in the overall grading
Lines of code
https://github.com/code-423n4/2023-06-llama/blob/main/src/accounts/LlamaAccount.sol#L115 https://github.com/code-423n4/2023-06-llama/blob/main/src/accounts/LlamaAccount.sol#L297-L324 https://github.com/code-423n4/2023-06-llama/blob/main/src/accounts/LlamaAccount.sol#L103-L106
Vulnerability details
Impact
If the
delegatecall
inLlamaAccount.execute
changesllamaExecutor
to an malicious contract, then functions modified byonlyLlama
are open to the malicious contract. After the exploit, it can return the llamaExecutor as before to passoriginalStorage != _readSlot0()
check.Proof of Concept
Update
test/mock/MockExtension.sol
as below.Add a following test in
test/accounts/LlamaAccount.t.sol
and runforge test --match-test test_ManipulateLlamaExecutor
.Tools Used
Manual review
Recommended Mitigation Steps
There are two possible solutions.
LlamaAccountExecutor
likeLlamaCore
andLlamaExecutor
to prevent unexpected storage updates. This solution is also given in the previous audit issue 5.3.5 LlamaCore delegate calls can bring Llama into an unusal state.LlamaAccount
independently without a proxy-implementation pattern and makellamaExecutor
immutable likeLlamaExecutor.LLAMA_CORE
.Assessed type
call/delegatecall