search

code-423n4 / 2023-07-axelar-findings

2 stars 0 forks source link

Accepted proposal may be recreated at the same address with a malicious proposal if there's a self destruct function in the accepted proposal #502

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/cgp/governance/InterchainGovernance.sol#L68-L79

Vulnerability details

Impact

A malicious proposal can take over the contract address of the accepted proposal through self-destruct

Proof of Concept

This issue is regarding the Tornado cash hack, whereby the attacker deploys different contracts at the same address. If the proposal manages to have a self-destruct function inside the code, then they can destroy their proposed contract and create a malicious one with the same address.

Tornado Cash Hack - https://www.youtube.com/watch?v=whjRc4H-rAc&t=362s

    function _processCommand(
        uint256 commandId,
        address target,
        bytes memory callData,
        uint256 nativeValue,
        uint256 eta
    ) internal override {
        if (commandId > uint256(type(ServiceGovernanceCommand).max)) {
            revert InvalidCommand();
        }

        ServiceGovernanceCommand command = ServiceGovernanceCommand(commandId);
        bytes32 proposalHash = keccak256(abi.encodePacked(target, callData, nativeValue));

        if (command == ServiceGovernanceCommand.ScheduleTimeLockProposal) {
            eta = _scheduleTimeLock(proposalHash, eta);

            emit ProposalScheduled(proposalHash, target, callData, nativeValue, eta);
            return;
        } else if (command == ServiceGovernanceCommand.CancelTimeLockProposal) {
            _cancelTimeLock(proposalHash);

            emit ProposalCancelled(proposalHash, target, callData, nativeValue, eta);
            return;
        } else if (command == ServiceGovernanceCommand.ApproveMultisigProposal) {
            multisigApprovals[proposalHash] = true;

Tools Used

Manual Review

Recommended Mitigation Steps

Not sure about the recommendation, but just be alert to check for the self-destruct function in all the proposals that come in

Assessed type

Other

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as primary issue

c4-sponsor commented 1 year ago

deanamiel marked the issue as sponsor disputed

deanamiel commented 1 year ago

This implies that the target contract has security vulnerabilities, signers should not vote for a proposal that calls a target with such vulnerabilities. Additionally, Axelar governance would not create a proposal on a vulnerable target contract.

c4-judge commented 1 year ago

berndartmueller marked the issue as unsatisfactory: Out of scope