search

code-423n4 / 2023-11-panoptic-findings

0 stars 0 forks source link

Invalid Address in getPoolId() #467

Closed c4-bot-4 closed 9 months ago

c4-bot-4 commented 9 months ago

Lines of code

https://github.com/code-423n4/2023-11-panoptic/blob/aa86461c9d6e60ef75ed5a1fe36a748b952c8666/contracts/libraries/PanopticMath.sol#L38C5-L40C6#L42

Vulnerability details

Impact

The getPoolId() function fails to check the validity of the provided Uniswap v3 pool address. If an invalid address is passed, it could be used to manipulate calls to unintended pools or cause other unintended consequences.

  1. The attacker could obtain the pool ID for a non-existent or malicious pool. This pool ID might then be used to call other functions on that pool, potentially causing unintended actions or losses for users.
  2. The attacker could compromise the integrity of the library by injecting malicious code. This could lead to unintended behavior or even compromise the security of the entire library.
  3. Denial of Service attacks by repeatedly calling the function with invalid addresses resulting in system unavailability due to continous processing of invalid requests

Proof of Concept

  1. For example we have the vulnerable getPoolId function in the PanopticMath library.

  2. We create a contract called MaliciousContract with a trustedPool address.

  3. The manipulateGetPoolId function in MaliciousContract demonstrates how an attacker could manipulate the getPoolId() function by creating a malicious address (maliciousAddress) and calling the vulnerable function with this manipulated address.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

library PanopticMath {
    function getPoolId(address univ3pool) internal pure returns (uint64) {
        return uint64(uint160(univ3pool) >> 96);
    }
}

contract MaliciousContract {
    using PanopticMath for *;

    address public trustedPool;

    constructor(address _trustedPool) {
        trustedPool = _trustedPool;
    }

    function manipulateGetPoolId() public view returns (uint64) {
        // An attacker can manipulate the getPoolId function by passing a malicious address
        address maliciousAddress = address(uint160(trustedPool) + 1);

        // Call the vulnerable function with the manipulated address
        return maliciousAddress.getPoolId();
    }
}

Tools Used

  1. VScode
  2. MythX
  3. Remix

Recommended Mitigation Steps

The most important mitigation step is to include proper input validation by adding a check to confirm if it is a valid address in order to fix this vulnerability.

pragma solidity ^0.8.0;

library PanopticMath {
    function getPoolId(address univ3pool) internal pure returns (uint64) {
        require(isValidAddress(univ3pool), "Invalid pool address");

        return uint64(uint160(univ3pool) >> 96);
    }

    function isValidAddress(address addr) internal pure returns (bool) {
        // Check if the address is not zero and has the correct length
        return addr != address(0) && addr == address(uint160(addr));
    }
}

Assessed type

Invalid Validation

c4-judge commented 9 months ago

Picodes marked the issue as unsatisfactory: Invalid