search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

0xnirlin - Registery address is set to proxy address of create3 instead of registery in the anchor.sol #874

Closed sherlock-admin closed 11 months ago

sherlock-admin commented 12 months ago

0xnirlin

high

Registery address is set to proxy address of create3 instead of registery in the anchor.sol

create3 use the intermediary proxy, which deploys the registery contract, so in this case the msg.sender is the proxy address instead of the registery address.

Vulnerability Detail

Create3 implementation deploys the proxy that than deploys the contract, but in the constructor of the anchor.sol uses the msg.sender as the address of registery which is actually the address of proxy.

anchor.sol

    constructor(bytes32 _profileId) {
        // @audit-issue here the msg.sender is the address of temporary proxy not the registery contract
        registry = Registry(msg.sender);
        profileId = _profileId;
    }

Original documentation of create3 recommends to pass the addresses as argument instead of using the msg.sender. Check the following link: https://github.com/ZeframLou/create3-factory

Now check the solady implementation:

https://github.com/Vectorized/solady/blob/main/src/utils/CREATE3.sol

https://github.com/Vectorized/solady/blob/1c1ac4ad9c8558001e92d8d1a7722ef67bec75df/src/utils/CREATE3.sol#L48

Check the following code snippet used by the solady which deploys the contract by using the poxy address on above line:

            if iszero(
                call(
                    gas(), // Gas remaining.
                    proxy, // Proxy's address.
                    value, // Ether value.
                    add(creationCode, 0x20), // Start of `creationCode`.
                    mload(creationCode), // Length of `creationCode`.
                    0x00, // Offset of output.
                    0x00 // Length of output.
                )
            ) {

Impact

The anchor will not work so does everything in the system, as most of the things revolve around the functioning of the anchor contract.

SO anchor will never be able to access the registery and can not be changed either through the setters.

Code Snippet

https://github.com/Vectorized/solady/blob/1c1ac4ad9c8558001e92d8d1a7722ef67bec75df/src/utils/CREATE3.sol#L48-L118 https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Anchor.sol#L55-L58

Tool used

Manual Review

Recommendation

Pass the registery address as argument instead of using the msg.sender when deploying through registery.

Duplicate of #380