search

code-423n4 / 2023-10-opendollar-findings

10 stars 7 forks source link

Selfdestruct Risk in ODProxy.sol due to Direct Deployment Call #402

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/proxies/ODProxy.sol#L27

Vulnerability details

Impact

The impact of this vulnerability is significant as it exposes ODProxy.sol to a selfdestruct risk due to a direct delegatecall to ODProxy itself, potentially causing lose access to user assets in their own saves.

Proof of Concept

While the risk depends on the access control of the functions, there is still a potential threat. If a malicious party were to convince a user to sign a selfdestruct transaction, their safe could be bricked, causing them to lose access to their assets and disrupting the protocol's operation.

Tools Used

Manual Review

Recommended Mitigation Steps

function execute(address _target, bytes memory _data) external payable onlyOwner returns (bytes memory _response) {
    if (_target == address(0)) revert TargetAddressRequired();
+   require(_target != address(this));

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

raymondfam marked the issue as low quality report

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #22

c4-judge commented 1 year ago

MiloTruck changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

MiloTruck marked the issue as grade-c