Lack of Access Control on Executor Addresses Enables Complete Contract Compromise

[c4-bot-5]

Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/sol/SeawaterAMM.sol#L132

Vulnerability details

Summary

The SeawaterAMM contract uses a proxy pattern with multiple executor contracts. The directDelegate function is used to forward calls to these executor contracts using delegatecall.

The directDelegate function performs a delegatecall to an address stored in a specific storage slot. However, there's no access control or validation on the addresses that can be set as executors, potentially allowing an attacker to execute arbitrary code in the context of the SeawaterAMM contract.

Code Snippet

https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/sol/SeawaterAMM.sol#L132

function directDelegate(address to) internal {
    assembly {
        // ... (assembly code)
        let result := delegatecall(gas(), to, 0, calldatasize(), 0, 0)
        // ... (more assembly code)
    }
}

Impact

An attacker who gains control of any executor address could:

1. Manipulate the contract's state
2. Drain funds from the contract
3. Perform unauthorized operations with the contract's permissions

This vulnerability could lead to a complete compromise of the AMM system.

Scenario

1. An attacker exploits a vulnerability in the updateExecutors function or gains access to the proxy admin role.
2. They set one of the executor addresses (e.g., EXECUTOR_SWAP_SLOT) to a malicious contract.
3. When a user calls a swap function, the directDelegate function will execute the malicious code with the full permissions of the SeawaterAMM contract.

Fix

1. Implement strict access control for setting and updating executor addresses.
2. Use a whitelist of allowed executor addresses.
3. Implement a time-lock mechanism for executor address changes.

Assessed type

Access Control

[liveactionllama]

Missing json data, but appears to be identical to submission #213. Closing this one.