Closed c4-submissions closed 9 months ago
GalloDaSballo marked the issue as primary issue
Interesting discussion around inconsistent logic, I believe impact is limited (informational)
0xfoobar marked the issue as disagree with severity
0xfoobar (sponsor) disputed
0xfoobar marked the issue as agree with severity
TransferHelpers.checkAndPullByType(erc1155PullAuthorization, delegateInfo)
performs the typechecking
GalloDaSballo marked the issue as unsatisfactory: Insufficient proof
GalloDaSballo removed the grade
NC
GalloDaSballo changed the severity to QA (Quality Assurance)
GalloDaSballo marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L385 https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L321 https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L209
Vulnerability details
Impact
The contract
DelegateToken
does work with three different types for his delegation tokens, namely ERC20, ERC721 and ERC1155. For other tokens, it is expected to revert as seen in CreateOfferer#L164. However, in the links above, it does not revert. This is bad because, for example, inDelegateToken::withdraw
, it will modify global balances and registry values and continue with its execution even if the token type is not supported, so no withdraw will be made, thus corrupting the global state of the contract.Proof of Concept
NOTE -> I will work with
DelegateToken::withdraw
as an example, the links above are pretty similar so the explanation works for all of themWe see that global changes are made even if the token is not supported. As I do not have more time to dig inside the low-level changes made and because there is a precedence in CreateOfferer#L164, so it is something the developers thought about but did not implement in the
DelegateToken
contract, I consider it as a medium (it may be a high, though, it's up to the judges)Tools Used
Manual analysis
Recommended Mitigation Steps
Just revert if the token is not supported to avoid making changes in global state as seen in CreateOfferer#L164
Assessed type
Error