Closed code423n4 closed 1 year ago
The submission does not provide any demonstration of the issue, reasoning and code blocks.
0xSorryNotSorry marked the issue as low quality report
berndartmueller marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/its/utils/Multicall.sol#L22
Vulnerability details
Impact
WRONG NAME. The Function Name is the same as Contract Name. One is proper case and the other is lower case. The contract name is Multicall and the function name within it is lower case multicall. So this opens up security vulnerabilities like the following. One of the countless impacts is that the owner can be changed to a malicious attacker. A second possibility is that calls can be made to withdraw funds if available in the account.
Proof of Concept
Provide direct links to all referenced code in GitHub:
File
Victim Address: 0x3C44CdDdB6a900fa2b585dd299e03d12FA4293BC Victim Start Balance: Balance: 10000 ETH Victim End Balance After Attack: Balance: 8888.99992770374008314 ETH
Attacker Address: 0x90F79bf6EB2c4f870365E785982E1f101E93b906 Attacker Start Balance: 10000 ETH Attacker End Balance After Attack: Balance: 11111 ETH
Log follows after POC.
Steps to reproduce
NB: Using Remix Dev Foundry Provider (run anvil in cmd and foundry needs to be installed)
PoC
Log
Tools Used
Mythx && VS Code && Remix && Foundry
Recommended Mitigation Steps
Solidity version 0.4.22 introduces a new constructor keyword that make a constructor definitions clearer. It is therefore recommended to upgrade the contract to a recent version of the Solidity compiler and change to the new constructor declaration.
Assessed type
call/delegatecall