An attacker could create fake delegations that wrongly appear valid to _validateFrom().
Proof of Concept
There is a potential vulnerability in _validateFrom().
The issue is that _validateFrom() only compares the stored 'from' address with the input 'from' address to determine if a delegation is valid. However, an attacker could manipulate the stored 'from' address to falsely appear valid.
Here is how an attacker could exploit this:
Attacker calls delegateAll() to create a delegation from Attacker -> Victim with some rights
This saves a record with Attacker as 'from' address
Attacker calls writeSlot() to directly write to the storage slot for this delegation
Attacker overwrites the 'from' address with Victim's address
Now the delegation record has Victim as the 'from' address instead of Attacker.
Attacker calls checkDelegateForAll() with Victim as the input 'from' address
_validateFrom() will compare the input Victim address to the stored Victim address and wrongly think the delegation is valid
This would allow the Attacker to impersonate Victim and have permissions they do not actually have.
Tools Used
Manual
Recommended Mitigation Steps
_validateFrom() should not solely rely on comparing the 'from' addresses. It should also verify the delegation hash matches what is expected for that 'from'-'to' pair.
Lines of code
https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L471-L473
Vulnerability details
Impact
An attacker could create fake delegations that wrongly appear valid to _validateFrom().
Proof of Concept
There is a potential vulnerability in _validateFrom().
The issue is that _validateFrom() only compares the stored 'from' address with the input 'from' address to determine if a delegation is valid. However, an attacker could manipulate the stored 'from' address to falsely appear valid. Here is how an attacker could exploit this:
Tools Used
Manual
Recommended Mitigation Steps
_validateFrom() should not solely rely on comparing the 'from' addresses. It should also verify the delegation hash matches what is expected for that 'from'-'to' pair.
Assessed type
Other