Closed code423n4 closed 1 year ago
minhquanym marked the issue as primary issue
CJ42 marked the issue as disagree with severity
ADD/CHANGE EXTENSION
is a big permission, we are aware that this permission could lead to even more than just the reported issue.
trust1995 marked the issue as satisfactory
trust1995 changed the severity to QA (Quality Assurance)
trust1995 marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-06-lukso/blob/main/contracts/LSP6KeyManager/LSP6KeyManagerCore.sol#L303-L313
Vulnerability details
Bug Description
LSP6KeyManager
has in-built reentrancy protections. It works by setting_reentrancyStatus
totrue
using_nonReentrantBefore()
before a call toLSP0ERC725Account
is made, and then calling_nonReentrantAfter()
to set_reentrancyStatus
back tofalse
afterwards.However, this reentrancy protection can be bypassed by adding the
LSP6KeyManager
'slsp20VerifyCallResult()
function as an extension to the LSP0 account:LSP6KeyManagerCore.sol#L303-L313
Where:
_target
is set to theLSP0ERC725Account
's address.As
lsp20VerifyCallResult()
is called through the LSP0 account,msg.sender == _target
will be true, thereby calling_nonReentrantAfter()
to reset_reentrancyStatus
.Therefore, after
lsp20VerifyCallResult()
is added as an extension, anyone can then call this before performing a reentrant call toLSP6KeyManager
to bypass reentrancy checks.Impact
Anyone with
ADDEXTENSIONS
/CHANGEEXTENSIONS
permissions can allow users to bypassLSP6KeyManager
's reentrancy protections by addinglsp20VerifyCallResult()
as an extension.Proof of Concept
The following Foundry test demonstrates how a user can re-enter the KeyManager once
lsp20VerifyCallResult()
is added as an extension:Recommended Mitigation
Disallow the
lsp20VerifyCallResult()
function inLSP6KeyManager
. One way of achieving this could be to blacklist its function selector. However, this could potentailly cause problems if a function in another extension happens to have the same selector.Assessed type
Reentrancy