0xmahdirostami
commented
3 months ago Another scenario:
- there is a module with title x and major version 1 and URL y
- admin add new module with title x and URL z or major version 2 (URL or version changed)
- the title is the same
- user add this new module
Other Mitigation:
Instead of title, use identifier.
Titles could be the same, but identifiers not.
function identifier(IModule_v1.Metadata memory metadata)
internal
pure
returns (bytes32)
{
return keccak256(
abi.encode(metadata.majorVersion, metadata.url, metadata.title)
);
}
FHieser
Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0xa3617c930f1addf5a6c906825e76cb692aa16953e2455ee921f65c2624e1a237 Severity: low
Description: Description: When adding a new module to the orchestrator, the system does not check whether a module with the same title already exists. This can lead to duplicate module titles, which can result in incorrect values being returned by the
_isModuleUsedInOrchestratorfunction.Scenario: If two modules with the same title are added, the
findModuleAddressInOrchestratorfunction will be unable to differentiate between them. This can cause the function to return the wrong module address.Impact: The incorrect module address returned by
findModuleAddressInOrchestratorcan lead to various issues, including the execution of unintended modules, potential security vulnerabilities, and unexpected behavior of the system.Mitigation: Implement a check for duplicate module titles when adding new modules to ensure that each module has a unique title. This will prevent the addition of modules with duplicate titles and ensure the correct functioning of
findModuleAddressInOrchestrator.