c4-pre-sort
commented
1 year ago minhquanym marked the issue as primary issue
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago minhquanym marked the issue as primary issue
c4-pre-sort
commented
1 year ago minhquanym marked the issue as low quality report
minhquanym
commented
1 year ago Inflated severity
c4-sponsor
commented
1 year ago CJ42 marked the issue as sponsor disputed
c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-06-lukso/blob/9dbc96410b3052fc0fd9d423249d1fa42958cae8/contracts/LSP0ERC725Account/LSP0ERC725AccountCore.sol#L151
Vulnerability details
Impact
Users or owner can't use extensions because of collision between extension functions and account functions
Proof of Concept
Whenever someone calls account it will check for functions inside it, if there isn't function it goes to fallback to check extensions. As mentioned in docs: https://docs.lukso.tech/standards/universal-profile/lsp6-key-manager “when the account is called with a function that does not exist natively in its public interface. The fallback function of the linked ERC725Account will handle the call to the extension set for the function selector being called.” so if someone wants to use an extension if that extension has collision with existing functions, he cannot use.
Tools Used
manual
Recommended Mitigation Steps
save all function selectors and add check before adding extension, for checking function collision .
Assessed type
Other