safdie - Unauthorized facet functionality will let attackers to gain access to restricted functions in `LibDiamond.sol`

[sherlock-admin4]

safdie

Medium

Unauthorized facet functionality will let attackers to gain access to restricted functions in LibDiamond.sol

Summary

In a Diamond Standard architecture, where multiple facets manage different functionalities, it's crucial that function calls are routed properly through the correct facet. The vulnerability allows unauthorized facets to be added or existing facets to be modified improperly, it can lead to unauthorized functionality being exposed or accessed in the contract.

Root Cause

There’s no additional validation of the function selectors in addFunctions https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/libraries/LibDiamond.sol#L78-L92 and replaceFunctions, https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/libraries/LibDiamond.sol#L94-L109 so it’s possible that the contract owner could mistakenly or maliciously add unwanted selectors with full control over the contract. This could open up a backdoor or introduce unintended functionality.

Internal pre-conditions

No response

External pre-conditions

1. The contract is using the LibDiamond.diamondCut() function to manage facets.
2. An attacker identifies that there is insufficient validation or improper facet address management (e.g., no verification of the function selectors or facet addresses in addFunctions() or replaceFunctions()).

Attack Path

1. The attacker registers a malicious facet with a function signature collision. This facet may include functions that have the same selector as critical functions (such as fund transfers or privileged admin functions).
2. Using the diamondCut() functionality, the attacker can either: add their own malicious facet using the Add action or replace an existing facet using the Replace action. For example:

   
   function addMaliciousFacet() external {
   IDiamondCut.FacetCut;
   bytes4;
   selectors[0] = this.maliciousFunction.selector; // A function that overlaps a critical selector
   cut[0] = IDiamondCut.FacetCut({
       facetAddress: address(this), 
       action: IDiamondCut.FacetCutAction.Add,
       functionSelectors: selectors
   });
   LibDiamond.diamondCut(cut, address(0), ""); // Adds malicious functionality
   }

function maliciousFunction() external { // Code for unauthorized functionality like stealing funds }

3. The attacker now has control over functionality tied to critical selectors. They can call this malicious facet's function or overwrite legitimate functionality, potentially allowing them to:
3.1. Drain funds.
3.2. Escalate privileges (e.g., becoming contract owner).
3.3. Tamper with core business logic (e.g., change fees, manipulate data).

### Impact

1. Attackers can gain access to restricted functions within the contract, such as administrative controls, fund management, or other high-privilege actions.
2. If the unauthorized functionality includes fund management (e.g., transferring tokens), the attacker could drain assets from the contract.
3. The attacker could replace facets responsible for access control, thereby taking over the contract’s ownership and administrative rights.
4. By replacing facets, the attacker could cause key functions (e.g., financial operations, voting mechanisms) to break, leading to operational failure.

### PoC

_No response_

### Mitigation

You could restrict or whitelist certain selectors or ensure only specific, predefined facets can be added or modified.