The _invalidFrom() function as written only checks for the specific address values of 0x00 and 0xff, which represent an empty or revoked delegation in storage

[c4-submissions]

Lines of code

https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L471-L473

Vulnerability details

Impact

Invalid delegations can be created that bypass the validity checks. This could allow an attacker to fake permissions they do not actually have.

Proof of Concept

The _invalidFrom() function as written only checks for the specific address values of 0x00 and 0xff, which represent an empty or revoked delegation in storage. This means other invalid address values could slip through and be incorrectly treated as valid delegations

The _invalidFrom() function only checks if the from address is equal to two constant values:https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L471-L473

Storage.DELEGATION_EMPTY and Storage.DELEGATION_REVOKED are used to represent an empty or revoked delegation in storage.

However, there could be other invalid address values that _invalidFrom() does not check for. For example, the zero address (0x0) is commonly used to represent an invalid or uninitialized address.

So _invalidFrom() could return false even if from is an invalid address like 0x0. This could allow an attacker to bypass delegation checks by using invalid from addresses that _invalidFrom() does not detect.

For example, an attacker could create a delegation with from = 0x000000000000000000000000000000000000dead. This would not match the DELEGATION_EMPTY or DELEGATION_REVOKED values, so _invalidFrom() would return false and the delegation would be considered valid even though the from address is invalid.

So in summary:

• _invalidFrom() only checks for two specific invalid values
• This could allow other invalid from addresses to bypass the check
• An attacker could use this to fake delegations and gain unauthorized access
• _invalidFrom() should be updated to check for a wider range of invalid values

Tools Used

Manual

Recommended Mitigation Steps

Check for a wider range of invalid address values. This would properly detect and invalidate the 0x0 address and prevent the vulnerability

Assessed type

Other

[c4-judge]

GalloDaSballo marked the issue as unsatisfactory: Invalid