Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LlamaPolicyMetadata.contractURI() can return corrupted JSON data #254

Open
code423n4 opened this issue Jun 14, 2023 · 7 comments
Open

LlamaPolicyMetadata.contractURI() can return corrupted JSON data #254

code423n4 opened this issue Jun 14, 2023 · 7 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-b primary issue Highest quality submission among a set of duplicates Q-04 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-06-llama/blob/aac904d31639c1b4b4e97f1c76b9c0f40b8e5cee/src/LlamaPolicyMetadata.sol#L109

Vulnerability details

LlamaPolicyMetadata.contractURI() returns the contract URI for a given Llama policy, which gives the JSON data with the bio and generated svg image.

File: LlamaPolicyMetadata.sol
104: function contractURI(string memory name) public pure returns (string memory) {
105:     string[5] memory parts;
106:     parts[0] = '{ "name": "Llama Policies: ';
107:     parts[1] = name;
108:     parts[2] = '", "description": "This collection includes all members of the Llama organization: ';
109:     parts[3] = name;
110:     parts[4] =
111:       '. Visit https://app.llama.xyz to learn more.", "image":"https://llama.xyz/policy-nft/llama-profile.png", "external_link": "https://app.llama.xyz", "banner":"https://llama.xyz/policy-nft/llama-banner.png" }';
112:     string memory json = Base64.encode(bytes(string.concat(parts[0], parts[1], parts[2], parts[3], parts[4])));
113:     return string.concat("data:application/json;base64,", json);
114:   }

There is no checks on name upon deployment. If it contains double-quotes ", contractURI() will return a corrupted string.

Impact

If the name string has " character, it can either:

  • lead to invalid JSON data that can lead to errors when parsed by an external application
  • lead to overwriting of the "name": "Llama Policies: and "description": "This collection includes all members of the Llama organization:" properties of the contractURI. For instance, by using the following name string: ""name": "New Policy", "description": "new description"", the name and description properties parsed from the JSON object would be "name": "New Policy", "description": "new description", as opposed to the "Llama Policies:..." and "description": "This collection includes all members of the Llama organization:..." expected.
    (Note: this depends on what JSON parsing method is used, but in general the handling of key-value pair will overwrite the value if the same key is encountered multiple times.).

Tools Used

Manual Analysis

Recommended Mitigation Steps

Use the escapeJSON function from LibString to prevent the issue described above.

Assessed type

Other
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 14, 2023
code423n4 added a commit that referenced this issue Jun 14, 2023
@code423n4
joestakey issue #254
ee0f88b
@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Jun 19, 2023
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as primary issue

This was referenced Jun 19, 2023
Closed
Closed
Closed
@c4-sponsor
Copy link

AustinGreen marked the issue as sponsor acknowledged

@c4-sponsor c4-sponsor added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Jun 21, 2023
@c4-sponsor
Copy link

AustinGreen marked the issue as disagree with severity

@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Jun 21, 2023
@AustinGreen
Copy link

Acknowledge but this should be of informational severity. It is extremely unlikely and there is no risk to Llama users.

@AustinGreen AustinGreen mentioned this issue Jun 21, 2023
Closed
@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jul 2, 2023
@c4-judge
Copy link

c4-judge commented Jul 2, 2023

gzeon-c4 changed the severity to QA (Quality Assurance)

@c4-judge c4-judge closed this as completed Jul 2, 2023
@c4-judge
Copy link

c4-judge commented Jul 2, 2023

gzeon-c4 marked the issue as grade-c

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Jul 2, 2023
@c4-judge c4-judge reopened this Jul 2, 2023
@c4-judge c4-judge removed grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Jul 2, 2023
@c4-judge
Copy link

c4-judge commented Jul 2, 2023

gzeon-c4 marked the issue as grade-b

@KuTuGu KuTuGu mentioned this issue Jul 6, 2023
Open
@C4-Staff C4-Staff added the Q-04 label Jul 11, 2023
@T1MOH593 T1MOH593 mentioned this issue Jan 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-b primary issue Highest quality submission among a set of duplicates Q-04 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@AustinGreen @code423n4 @c4-judge @c4-sponsor @c4-pre-sort @C4-Staff