Closed c4-submissions closed 10 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #29
raymondfam marked the issue as duplicate of #88
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/ConsoleFallbackHandler.sol#L104
Vulnerability details
Impact
ConsoleFallbackHandler.sol does not use static call or delegate call
Proof of Concept
In the function
the simulate function is meant to simulate a call, so to simulate a call, the transaction should use staticcall to make sure that there is no state change
but the staticcall is not used, instead, call is used
also, the parameter targetContract and calldataPayload is not really used
the simulate call is not marked as payable, so the code cannot simulate call behavior with ETH attached
In short, the simulate function cannot really simulate cal
Tools Used
Manual Review
Recommended Mitigation Steps
mark the simulate function payable and use static call to simulate the transction properly
Assessed type
Access Control