The SeawaterAMM contract uses a proxy pattern with multiple executor contracts. The directDelegate function is used to forward calls to these executor contracts using delegatecall.
The directDelegate function performs a delegatecall to an address stored in a specific storage slot. However, there's no access control or validation on the addresses that can be set as executors, potentially allowing an attacker to execute arbitrary code in the context of the SeawaterAMM contract.
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/sol/SeawaterAMM.sol#L132
Vulnerability details
Summary
The
SeawaterAMM
contract uses a proxy pattern with multiple executor contracts. ThedirectDelegate
function is used to forward calls to these executor contracts usingdelegatecall
.The
directDelegate
function performs adelegatecall
to an address stored in a specific storage slot. However, there's no access control or validation on the addresses that can be set as executors, potentially allowing an attacker to execute arbitrary code in the context of theSeawaterAMM
contract.Code Snippet
https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/sol/SeawaterAMM.sol#L132
Impact
An attacker who gains control of any executor address could:
This vulnerability could lead to a complete compromise of the AMM system.
Scenario
updateExecutors
function or gains access to the proxy admin role.EXECUTOR_SWAP_SLOT
) to a malicious contract.directDelegate
function will execute the malicious code with the full permissions of theSeawaterAMM
contract.Fix
Assessed type
Access Control