In the WalletImpl.sol contract, the execCalls function allows the contract owner to execute multiple arbitrary calls. However, there is no input validation or restriction on the target addresses or data that can be sent, which could be exploited by a malicious owner.
Vulnerability Detail
The execCalls function accepts an array of Call structs containing the target address, value, and data for each call. It then executes these calls without any input validation, allowing the owner to target any address with arbitrary data.
Impact
This vulnerability could allow a malicious contract owner to execute harmful calls to other contracts, leading to a loss of funds or disruption of other systems.
Consider implementing input validation and restrictions on the target addresses and data that can be sent through the execCalls function. This will help reduce the risk of malicious actions by the contract owner.
moneyversed
high
Unprotected function call in WalletImpl.sol
Summary
In the WalletImpl.sol contract, the execCalls function allows the contract owner to execute multiple arbitrary calls. However, there is no input validation or restriction on the target addresses or data that can be sent, which could be exploited by a malicious owner.
Vulnerability Detail
The execCalls function accepts an array of Call structs containing the target address, value, and data for each call. It then executes these calls without any input validation, allowing the owner to target any address with arbitrary data.
Impact
This vulnerability could allow a malicious contract owner to execute harmful calls to other contracts, leading to a loss of funds or disruption of other systems.
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-utils/src/WalletImpl.sol#L43
Tool used
Manual Review
Recommendation
Consider implementing input validation and restrictions on the target addresses and data that can be sent through the execCalls function. This will help reduce the risk of malicious actions by the contract owner.