Open c4-submissions opened 10 months ago
raymondfam marked the issue as low quality report
raymondfam marked the issue as duplicate of #37
MiloTruck marked the issue as not a duplicate
MiloTruck marked the issue as duplicate of #233
MiloTruck changed the severity to 2 (Med Risk)
MiloTruck marked the issue as satisfactory
MiloTruck marked the issue as selected for report
Since the current implementation of ODSafeManager
doesn't have the ability to migrate information to a newer version, it will break the Vault721
contract if the newer version is not modified.
Note that the issue of a new ODSafeManager
not having the state of the previous contract can be addressed in the new contract itself (eg. add functions in the new ODSafeManager
implementation to set _safeId
, _safeData
, etc... to the same values as the current one).
However, given that the sponsor was not aware of the bug beforehand (see #326), I believe that this report and its duplicates has provided value to the sponsor and therefore medium severity is appropriate.
We agree this is a duplicate of #326
Lines of code
https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/proxies/Vault721.sol#L126-L128 https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/proxies/Vault721.sol#L172-L174 https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/proxies/ODSafeManager.sol#L118-L133 https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/proxies/Vault721.sol#L94-L99
Vulnerability details
Impact
Vault721
contract is the ERC721 "Non-fungible Vault" (NFV) that manages all SAFEs ownership, transfers, and approvals via the ERC721 standard, the minter of the NFV is theODSafeManager
contract.ODSafeManager
contract acts as interface to the SAFEEngine to facilitate the management of SAFEs; such as opening safes,modifying SAFE collateral, moving SAFE collateral,etc...When a user opens a SAFE via
ODSafeManager.openSAFE
function; a NFV will be minted to the user where it will have the same id as the SAFE id so that the ids of any of them can be used interchangeably in the system, and the_safeId
is the state variable that tracks the number of the opened safes/and minted NFV by theODSafeManager
contract.The initial value of the
_safeId
is zero; and it will be incremented with each opened SAFE.But a problem will be caused if the governance change the
ODSafeManager
address viaVault721.setSafeManager
; as this will result in adding a new deployed safe manager where it will have the_safeId
set to zero, which will result in breaking the synchronization between the_safeId
and the last minted NFV id (breaking an invariant).But how could this be a problem? well, this will result in disabling SAFE opening and NFV minting:
_safeId
of 1000, and this matches the id of the last minted NFV, so the next NFV id supposed to be 1001, and that should match the value of_safeId
._safeId
of the newODSafeManager
will be zero._safeId
will be incremeted by 1 (and will equal one) and when theVault721.mint
is called to mint a NFV; the function will revert as it's requested to mint a NFV with id=_safeId
=1, and this NFV has been already deployed by the old safe manager contract.Proof of Concept
Vault721.setSafeManager function
Vault721._setSafeManager function
ODSafeManager.openSAFE function
Vault721.mint function
Tools Used
Manual Testing.
Recommended Mitigation Steps
Add a mechanism in the
ODSafeManger
to initialize the_safeId
based on the total number of previously minted NFV + 1 (another variable to be added to theVault721
to track the total number of minted NFVs).Assessed type
Context