search

code-423n4 / 2023-09-delegate-findings

2 stars 1 forks source link

An attacker could create fake delegations that wrongly appear valid to _validateFrom(). #246

Closed c4-submissions closed 12 months ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L471-L473

Vulnerability details

Impact

An attacker could create fake delegations that wrongly appear valid to _validateFrom().

Proof of Concept

There is a potential vulnerability in _validateFrom().

The issue is that _validateFrom() only compares the stored 'from' address with the input 'from' address to determine if a delegation is valid. However, an attacker could manipulate the stored 'from' address to falsely appear valid. Here is how an attacker could exploit this:

  1. Attacker calls delegateAll() to create a delegation from Attacker -> Victim with some rights
  2. This saves a record with Attacker as 'from' address
  3. Attacker calls writeSlot() to directly write to the storage slot for this delegation
  4. Attacker overwrites the 'from' address with Victim's address Now the delegation record has Victim as the 'from' address instead of Attacker.
  5. Attacker calls checkDelegateForAll() with Victim as the input 'from' address
  6. _validateFrom() will compare the input Victim address to the stored Victim address and wrongly think the delegation is valid This would allow the Attacker to impersonate Victim and have permissions they do not actually have.

Tools Used

Manual

Recommended Mitigation Steps

_validateFrom() should not solely rely on comparing the 'from' addresses. It should also verify the delegation hash matches what is expected for that 'from'-'to' pair.

Assessed type

Other

c4-judge commented 12 months ago

GalloDaSballo marked the issue as unsatisfactory: Invalid