Closed c4-bot-3 closed 1 month ago
Hi @fatherGoose1, while the writing of this issue is too long, it's clearly duplicate of https://github.com/code-423n4/2024-08-phi-findings/issues/73 which is sponsor confirmed. Please take a look, the issue is exactly the same and clearly shows a user can freely chose the ImageUri without autorization since it's not included in the signature check.
Agreed, will dupe
Lines of code
https://github.com/code-423n4/2024-08-phi/blob/8c0985f7a10b231f916a51af5d506dd6b0c54120/src/art/PhiNFT1155.sol#L283 https://github.com/code-423n4/2024-08-phi/blob/8c0985f7a10b231f916a51af5d506dd6b0c54120/src/abstract/Claimable.sol#L47 https://github.com/code-423n4/2024-08-phi/blob/8c0985f7a10b231f916a51af5d506dd6b0c54120/src/art/PhiNFT1155.sol#L164
Vulnerability details
SUMMARY:
A confirmed vulnerability has been identified within the Phi Protocol's
mint()
function in thePhiNFT1155
contract, rooted in the unsanitized handling of user inputs. Specifically, the vulnerability arises from the direct assignment of theimageURI_
parameter, which can be exploited via JSON injection. This flaw allows attackers to introduce malicious metadata, consequently leading to incorrect interpretations by front-end applications. Functions such asclaimFromFactory()
inPhiNFT1155
andmerkleClaim()
in related contracts facilitate this issue by enabling the flow of crafted user inputs that compromise metadata integrity. Despite existing signature verification mechanisms, these functions lack adequate input sanitization to prevent such vulnerabilities.RELEVANT CODE:
VULNERABILITY DETAILS:
The identified vulnerability within the Phi Protocol's
mint()
function facilitates metadata manipulation through JSON injection. Unsanitized direct assignment of theimageURI_
parameter in this function creates the potential for an attacker to supply a crafted input that alters the intended metadata structure. The indirect paths leading to this function, such asclaimFromFactory()
andmerkleClaim()
, allow external calls to incorporate malicious inputs into themint()
process.Sequence and Integration:
Invocation Path: The vulnerability chain begins with external functions like
merkleClaim()
andclaimFromFactory()
. These functions either accept or decode user inputs that includeimageURI_
, forwarding them to themint()
function without sanitization.Direct Assignment and Risk: In the
mint()
function, the parameterimageURI_
is directly assigned toadvancedTokenURI[tokenId_][to_]
. Since no sanitization is applied, malicious strings can be embedded, potentially disrupting how metadata is portrayed in Web3 interfaces.Impact on Systems' State: With the metadata altered through such injections, the integrity and reliability of NFT representations can be compromised, misleading users and disrupting the intended portrayal of credentials and art linked with the NFTs.
Technical Focus: The vulnerability is highly technical, focusing on the specific absence of input sanitization at critical points where user-controlled data affects state variables directly tied to NFT metadata.
Supporting Evidence:
createArt()
andclaimFromFactory()
, allow passes ofimageURI_
without adequate checks.imageURI_
is used to set NFT metadata essential for visualization, showing no intermediate sanitization or validation logic prior to its final assignment inmint()
.The severity of this vulnerability is emphasized by its ability to manipulate the onchain identity's credibility, which is a core tenet of the Phi Protocol's mission to accurately showcase user achievements and attributes across the digital space.
TECHNICAL IMPACT
The technical impact of the identified vulnerability within the Phi Protocol's smart contracts primarily revolves around the unsanitized handling of input parameters, specifically the
imageURI_
field in themint()
function. This vulnerability opens the door to JSON injection attacks that can manipulate the metadata associated with Non-Fungible Tokens (NFTs) within the protocol.Exploitation Potential
Metadata Manipulation: The
mint()
function in thePhiNFT1155
contract assigns theimageURI_
parameter directly to a state variable without validation. This lapse allows attackers to inject malicious JSON into metadata fields. Consequently, the metadata consumed by front-end applications may reflect altered or incorrect information, affecting the NFT's appearance or associated data.Propagation Through Contracts: The vulnerability is not isolated; it propagates through various interaction points in the protocol. Functions like
claimFromFactory()
andmerkleClaim()
from theClaimable
andPhiFactory
contracts facilitate the flow of unverified inputs, ultimately feeding into themint()
function. These entry points lack sufficient input sanitation, compounding the susceptibility to JSON injection attacks.Impact on System Integrity: By manipulating the
imageURI_
, attackers can alter how NFTs are perceived, potentially embedding malicious content that misguides users. This affects the core objective of the Phi Protocol—to construct a reliable and verifiable onchain identity—by subverting the trust and accuracy of the credentials and identities it aims to uphold.System-Wide Consequences
Data Integrity Challenges: The unauthorized alteration of metadata can compromise the integrity of published credentials, impacting user trust and the perceived reliability of the protocol. Such manipulation undermines the foundational layer of onchain identity presentation, which is critical to the protocol's value proposition.
Financial and Reputational Risks: The exploitation of this vulnerability might lead to wider repercussions, including potential financial losses for users who rely on the authenticity of the NFTs minted through this protocol. Moreover, the protocol itself could face reputational damage if users encounter manipulated or deceptive information.
Potential for Broader Security Breaches: While the immediate impact involves metadata, the presence of such an unsanitized vector highlights gaps that could be exploited for further attacks, including phishing or other forms of security breaches that leverage false identity representations.
Code-Level Evidence
The vulnerability is isolated within the
mint()
function's direct assignment of theimageURI_
:Conclusion
In addressing the technical impact of this vulnerability, the protocol must employ input validation mechanisms to safeguard against JSON injection attacks. This should involve stringent checks at all points where user-controlled data, such as
imageURI_
, enters the system, ensuring the integrity and reputation of digital identities minted on the Phi Protocol.PROOF OF CONCEPT
Explanation
This Proof of Concept (PoC) illustrates how an attacker can exploit the unsanitized handling of the
imageURI_
parameter in themint()
function of thePhiNFT1155
contract. By crafting a specific malicious input, an attacker can inject unwanted JSON fields into the NFT metadata, affecting how the metadata is perceived and displayed by front-end applications.The vulnerability arises due to the direct assignment of user inputs without validation, particularly the
imageURI_
. By leveraging functions such asmerkleClaim()
andclaimFromFactory()
, which eventually call themint()
function, attackers can transmit malicious inputs into the system. The PoC will demonstrate how a manipulatedimageURI_
can alter an NFT's metadata.Step-by-Step Vulnerability Exploitation:
Target Function:
mint()
in thePhiNFT1155
contract.imageURI_
without sanitization.Input Preparation:
imageURI_
that includes JSON injection.Function Calling Sequence:
merkleClaim()
orclaimFromFactory()
can initiate themint()
call, passing the maliciousimageURI_
.imageURI_
, forwarding the malicious payload tomint()
.Injected Content and Metadata Alteration:
imageURI_
input manipulates JSON metadata seen by any systems using this NFT's URI.Proof of Manipulation:
Underlying Function Relationships:
merkleClaim()
: ExtractsimageURI_
from its inputs. Callsmint()
indirectly.claimFromFactory()
: As an intermediary, transmits crafted inputs, includingimageURI_
, tomint()
.Code Explanation:
Impact Verification:
maliciousImageURI
.This Proof of Concept vividly demonstrates the critical nature of input sanitization by highlighting the easy manipulation of NFT metadata when user input is not properly validated.
Assessed type
en/de-code