Closed sherlock-admin4 closed 1 month ago
Escalate
This is not duplicate of https://github.com/sherlock-audit/2024-04-titles-judging/issues/264.
The attack vector, affected code snippet, recommendation and impact are different. This issue shows an access control problem. This issue is duplicate of another issue that was confirmed and rewarded (https://github.com/sherlock-audit/2024-04-titles-judging/issues/266).
Escalate
This is not duplicate of https://github.com/sherlock-audit/2024-04-titles-judging/issues/264.
The attack vector, affected code snippet, recommendation and impact are different. This issue shows an access control problem. This issue is duplicate of another issue that was confirmed and rewarded (https://github.com/sherlock-audit/2024-04-titles-judging/issues/266).
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Sorry my blunder, this is duplicate of #266
This report is not a duplicate of #266 cause 266 talks about the problem with ERC20 tokens, which are not used in the current version of the protocol. This report identifies a different issue from #251 hence, will be the best one for new issue family with #139 and #383 as duplicates and high severity.
After reviewing the family and the issue again, I want to make the following remarks:
FeeManager is not expected to hold any value, cause all the fees (both creation and minting ones) are transferred directly to the recepients. Hence, there are two cases when it can happen:
msg.value
instead of mint fee.Therefore, the first is invalid under the rules. The second is used in the POC, still the reports doesn't explain what is the issue with sending excess msg.value during minting, but mentions that there can be funds due to users directly transferring them. Hence, I believe it should remain invalid cause the report explains only the user mistake path.
Planning to reject the escalation and leave the issue as it is.
@WangSecurity Regarding the two cases that you mentioned: the excessive amount of Ether sent when minting would be refunded when the other issue is fixed. However, the existence of the receive function means that there are business flows that require such transfers. That said, the direct transfers would not be only by mistake.
See L345
/// @notice Allows the contract to receive ETH.
receive() external payable {}
The #139 you mentioned previously (with the already accepted escalation) is somehow similar to this issue. It also points to the root cause which is unprotected function. However, the recommendation on how to fix the problem is better described here. The root cause here is the lack of appropriate access control. So adding an appropriate access control mechanism should be a better fit to keep the project secure and antifragile.
I see what you mean, but the existence of the receive
function doesn't mean the contract expects ETH transfers. If there are any specific business flows for that to happen within the system (when one contract just sends ETH to another), then I would agree, but otherwise, I believe the existence of receive
function is not sufficient proof these flows are not mistake and will happen. Hence, my decision remains the same, reject the escalation and leave the issue as it is.
The receive
function is not default behavior is a specially added function that does not have to appear in contracts unless it is to support some business flow or the contract is to collect funds. So if the risk after further investigation is considered limited then it could be MEDIUM impact on risk finding, but not invalidated one.
Additionally, we draw your attention to the note included in the description, which shows further risks if ERC20 were in the range:
Note: The vulnerability will have an even greater impact on ERC20 tokens, which, although they were excluded from the scope after the start of the contest, the team still plans to support. Then it will be possible not only to steal them, but also the amount approved for FeeManager by the user.
Regardless of the final verdict, we recommend that the team fix the issue in accordance with the described recommendation for user safety.
@WangSecurity Thank you for your support and thorough investigation.
I agree that receive
function is of course not a default behaviour, and I agree that there is an additional impact with ERC20s, but they're out of scope. And as I've said before, the existence of receive
function doesn't automatically mean there are business flows for that, unless there are indeed other functions in other contracts that use receive
function of FeeManager. Hence, my decision remains the same, reject the escalation and leave the issue as it is.
Thank you for that calm discussion.
Result: High Duplicate of #264
Correcting, this report is not a duplicate of #264 as stated in the above comments.
ComposableSecurity
high
Unprotected
collectMintFee
function that leads to stealing funds fromFeeManager
Summary
A user can steal funds stored in
FeeManager
becausecollectMintFee
has no access control.Vulnerability Detail
The function
collectMintFee
generally should be called byEdition
contract during the minting. However, this function can be called by anyone with parameters specified by the attacker as there are no restrictions on themsg.sender
.When there are funds on
FeeManager
(and they will be there as the current implementation transfers some funds during minting to this contract) an attacker can steal them by calling this function with theFeeManager
address aspayer_
and their address asreferrer_
.Important: The funds on FeeManager contract can appear from different sources, including direct call because it has receive() function and the withdraw() function that is used by the admin to rescue tokens.
Scenario showed in POC:
collectMintFee
with the following valuesfeeManager.collectMintFee{value: 0 ether}(edition, tokenId, 1000, address(feeManager), attacker);
Note: The attacker can create their own edition and position themselves as the recipient of a high fee in it. This way, they will be able to collect even more funds per transaction.
POC results
POC file
Impact
The user can steal funds from
FeeManager
.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/c9d16782a7d3c15c7a759f22c9e0552d5e777ed7/wallflower-contract-v2/src/fees/FeeManager.sol#L183 https://github.com/sherlock-audit/2024-04-titles/blob/c9d16782a7d3c15c7a759f22c9e0552d5e777ed7/wallflower-contract-v2/src/fees/FeeManager.sol#L202
Tool used
Manual Review
Recommendation
The
collectMintFee
function should be callable only byEdition
contract orowner
. Add appropriate checks as modifiers.