Public exposure of contract's Ether Balance that would trump security.

[c4-bot-10]

Lines of code

https://github.com/code-423n4/2023-11-zetachain/blob/6a9fdc29ce7e142facfcd6f15a16bf00b659d53b/repos/protocol-contracts/contracts/zevm/WZETA.sol#L32-L34

Vulnerability details

Impact

The wrong implementation of this.balance in the totalSupply() function poses security threat if exploited maliciously.

Proof of Concept

function totalSupply() public view returns (uint) {
    return this.balance;
}

This code provided is intended to display the total Supply of tokens, but the implementation returns this.balance, which is typically used for Ether balance in a contract.

The impact could be:

• Unintended Behavior: If the intention is to retrieve the total supply of a token, using this.balance is incorrect. It would return the Ether balance of the contract instead.
• Security Risk: Depending on the use case, exposing the contract's balance publicly might not be a good practice. It could lead to unintended consequences or vulnerabilities.

Consider a scenario where exposing the contract's balance publicly could lead to a potential exploit.

pragma solidity ^0.8.0;

contract MaliciousExploit {
    address public targetContract;

    // Constructor to set the target contract address
    constructor(address _targetContract) {
        targetContract = _targetContract;
    }

    // Function to attempt an exploit
    function maliciousExploit() public {
        // Assuming the target contract has a public balance function
        uint targetBalance = targetContract.balance;

        // Perform malicious actions based on the knowledge of the target contract's balance
        // Example: Reentrancy attack
        if (targetBalance > 0) {
            // Assuming the target contract has a withdraw function
            // This malicious contract can repeatedly call withdraw to drain the target contract's balance
            (bool success, ) = targetContract.call{value: targetBalance}("");
            require(success, "Exploit failed");
        }
    }
}

A malicious contract MaliciousExploit is deployed with the address of the target contract targetContract as a constructor parameter. The maliciousExploit() function is designed to retrieve the balance of the target contract and perform a potential malicious action based on that information. In this case, it simulates a reentrancy attack, where if the target contract's balance is greater than 0, the malicious contract repeatedly calls a withdraw() function in the target contract to drain its balance.

Tools Used

Vs Code Manual

Recommended Mitigation Steps

If you intend to implement a total supply function for a token, you would usually store the total supply as a state variable and return that value.

For example:

uint public totalSupply;

function getTotalSupply() public view returns (uint) {
    return totalSupply;
}

Assessed type

Reentrancy

[c4-pre-sort]

DadeKuma marked the issue as insufficient quality report

[c4-judge]

0xean marked the issue as unsatisfactory: Overinflated severity