code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-lukso/blob/9dbc96410b3052fc0fd9d423249d1fa42958cae8/contracts/LSP6KeyManager/LSP6Modules/LSP6SetDataModule.sol#L490-L499 https://github.com/code-423n4/2023-06-lukso/blob/9dbc96410b3052fc0fd9d423249d1fa42958cae8/contracts/LSP6KeyManager/LSP6Modules/LSP6SetDataModule.sol#L302-L318

Vulnerability details

Summary

Adding extension use 4 bytes function selector to add new extension, but if there is extension with those function selector, user with ADDEXTENSIONS permission cannot add extension.

Impact

ADDEXTENSIONS can not add extension.
Proof of Concept

when a user with ADDEXTENSIONS permisson want to add new extensions LSP6SetDataModule.sol checks that user have both permissions or not, if user have one of them it checks that is there any extension with this function selector, if yes it needs _PERMISSION_CHANGEEXTENSIONS and user with ADDEXTENSIONS permisson cannot add extension.
```
function _getPermissionToSetLSP17Extension(
    address controlledContract,
    bytes32 lsp17ExtensionDataKey
) internal view virtual returns (bytes32) {
    return
        ERC725Y(controlledContract).getData(lsp17ExtensionDataKey).length ==
            0
            ? _PERMISSION_ADDEXTENSIONS
            : _PERMISSION_CHANGEEXTENSIONS;
}
```

Tools Used

manual

Recommended Mitigation Steps

save all functions selector and who want to add extension, check for collision before deploying extension

Assessed type

Other

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #40

c4-judge commented 1 year ago

trust1995 marked the issue as unsatisfactory: Invalid

code-423n4 / 2023-06-lukso-findings

Function collision between extensions, ADDEXTENSIONS can not add extension. #42