The rights strings are compared directly which can lead to unintended rights being granted.

[c4-submissions]

Lines of code

https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L168 https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L181-L182

Vulnerability details

Impact

Attackers could potentially gain access to transfer or other privileged capabilities on tokens or contracts they should not have access to. This could lead to loss of funds or assets.

Proof of Concept

The key issue is in the checkDelegateForAll and checkDelegateForERC721 functions. These functions compare the passed in rights parameter directly against the stored rights value for a delegation, using an equality check:https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L168 and https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L181-L182 This means that if the stored rights string is "TRANSFER", and the passed in rights string is "TRANSFER_", it will evaluate to true and grant unintended rights.

An attacker could manipulate the rights string to add underscores, spaces, camelCase vs lowercase etc. to trick the contract into granting additional rights.

Tools Used

Recommended Mitigation Steps

• Comparing the keccak256 hashes of the rights strings rather than just equality
• Using a bytes4 rights identifier rather than a string
• Maintaining a mapping of valid rights strings to compare against
• Using a library for rights management that performs strict comparisons This would prevent manipulation of the rights strings from granting unintended permissions.

Assessed type

Other

[c4-judge]

GalloDaSballo marked the issue as unsatisfactory: Insufficient proof