search

code-423n4 / 2024-02-spectra-findings

4 stars 2 forks source link

msg.value can be Greater than Zero even when Data is Empty #87

Closed c4-bot-4 closed 8 months ago

c4-bot-4 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/main/src/proxy/AMTransparentUpgradeableProxy.sol#L118

Vulnerability details

Impact

msg.value can be Greater than Zero even when Data is Empty as against Protocol expectation

Proof of Concept

  /**
     * @dev Upgrade the implementation of the proxy. See {ERC1967Utils-upgradeToAndCall}.
     *
     * Requirements:
     *
>>>     * - If `data` is empty, `msg.value` must be zero.
     */
    function _dispatchUpgradeToAndCall() private {
        (address newImplementation, bytes memory data) = abi.decode(msg.data[4:], (address, bytes));
        ERC1967Utils.upgradeToAndCall(newImplementation, data);
    }

The _dispatchUpgradeToAndCall() function above from the AMTransparentUpgradeableProxy contract shows from the comment description that whenever data is empty msg.value must be zero however no implementation was done in this regards to enforce it, this way the function would be callable with more than zero value of msg.value even when data is empty which could break the protocol as against protocol expectation

Tools Used

Manual Review

Recommended Mitigation Steps

Spectra Protocol should ensure necessary implementation is done to ensure whenever data is empty, msg.value used to call the function is zero

Assessed type

Context

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as insufficient quality report

c4-judge commented 8 months ago

JustDravee marked the issue as unsatisfactory: Invalid