Closed sherlock-admin closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
If facetAddress is a valid one, it's meant to be called. No difference in calling with 0x12d05b and 0x12d05b00
I believe this is low severity, as the example is using a non-existent function selector so this issue has not proven how function can be bypassed based on current contract logic
unforgiven
medium
attacker can bypass function whitelist in Diamond pattern and call fallback() function because code doesn't check data.length>=4
Summary
Ubiquity protocol implements diamond proxy. Admins can set (address, function) whitelist in the diamond proxy that are allowed to be called in the proxy. the issue is that
fallback()
function in Diamond contract doesn't check thatdata.length >= 4
so if any whitelisted function's signature ends with 0 byte, then attacker can call fallback() function of that function's facet, while admins doesn't whitelisted the fallback function.Vulnerability Detail
This is the
fallback()
code in Diamond contract, as you can see code doesn't check to make suredata.length >= 4
:the issue is that if
data.length = 3
then solidity pads it with 0 zeros when usingmsg.sig
value, so if there was a whitelisted function in the diamond proxy that its signature ends 0 then attacker can call diamond proxy without that ending zero, and fallback code would bypass the facet check but in the target facet instead of the target function, the fallback would be executed. this is the POC:evaSafesFactory()
in FACET1 as whitelisted function+facet and the function signature is0x12d05b00
.data = 0x12d05b
.fallback()
function in the diamond proxy would usemsg.sig
to find the facet related to the function signature.0x12d05b
with zeros andmsg.sig = 0x12d05b00
and code would validate FACET1 as target facet.data = 0x12d05b
and in that target address's code the fallback would be executed.I have a coded POC that can be tested in the remix IDE, if you call this contract with
calldata = 0x12d05b
then thefallback()
will be executed and the value of thesig_fallback
would be set as0x12d05b00
which proves thatmsg.sig
pads with 0 ifdata.length < 4
and also proves that ifdata.length < 4
then fallback will be executed.Impact
in some cases attacker can bypass facet+function whitelists in the diamond proxy and call the
fallback()
functions of the facets.Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/Diamond.sol#L46-L54
Tool used
Manual Review
Recommendation
in
fallback()
of the diamond check thatdata.length >= 4