Closed c4-submissions closed 10 months ago
Invalid, governance abuse is out of scope
raymondfam marked the issue as low quality report
raymondfam marked the issue as duplicate of #39
alex-ppg marked the issue as not a duplicate
As the Sponsor has correctly specified, governance abuse is considered out-of-scope in this contest. While the Warden's rationale is somewhat correct, it would require the governance member to collude and set a potentially malicious contract in the authorized address list.
alex-ppg marked the issue as unsatisfactory: Invalid
alex-ppg marked the issue as primary issue
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/AddressProvider.sol#L77-L90 https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/AddressProvider.sol#L84 https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/AddressProvider.sol#L131
Vulnerability details
Impact
governance
can set Malicious contract as authorised address and since theAddressProvider.sol
is a singular source of truth an attacker can craft an exploit to abuse_authorizedAddress
privileges.Proof of Concept
A miniaturised POC is shown below.
in the
AddressProvider.sol
whensetAuthorizedAddress(...)
is called to set_authorizedAddress
as an authorised address with_overrideCheck
set tofalse
, the checks performed before updating the state is not sufficient to ensure that a malicious contract is not added as an authorised address.the
_ensureAddressProvider(...)
deploys theIAddressProviderService
at the_authorizedAddress
thereby handing over control to the_authorizedAddress
as shown below.POC
An attacker can exploit this vulnerability either directly or by proxy
Proxy Scenario is
fallback
and deploys a v1 implementation contract at addressX
that implements anaddressProviderTarget()
function that points to or returnsaddress(addressProvider)
.Y
that implements aaddressProviderTarget()
function that points to or returns a different address.Direct Scenario is shown in the coded POC below
addressProviderTarget()
function in his malicious contract that points to or returnsaddress(addressProvider)
but has some malicious code in the function and other malicious functions in his contract as shown in the POC below/2023-10-brahma/contracts/test/branch-trees/AddressProvider/set-authorized-address/SetAuthorizedAddress.t.sol
andforge test -vv --match-test testSetAuthorisedMaliciousAddress --fork-url $MAINNET_RPC
Tools Used
Foundry
Recommended Mitigation Steps
Consider implementing a whitelist of authorised contract OR add a delay before authorised contracts are added by governance.
Assessed type
Invalid Validation