-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[H1] An overflow can be used to drain ETH in VirtualAccount #687
Comments
0xA5DF marked the issue as duplicate of #888 |
0xA5DF marked the issue as sufficient quality report |
One of those rare cases where an AI report that was not checked actually is right. |
alcueca marked the issue as partial-25 |
Hi, guys...... I know you are working hard and you marked this as dup. However, in this submission I am explaining how to drain ETH which is not trivial. The submission you marked as principal only shows how to steal tokens. To drain ETH you need to exploit a vulnerability in the function that is already there. |
I'll try to help you a little bit here, I think you miss a key point. The moment the batch call either fails the external call or the target destination is not a contract, the whole tx will be reverted. From your report:
You are already acknowledging that the first call will revert the tx, so, if the tx is reverted, the execution is halted and all the changes are wiped out, the "attacker" would basically be wasting gas
No, it does not depend on the previous call, if you take a closer look at the code, before each cal, the success bool variable is declared, so, it's default value is false, it doesn't matter if the previous call was true, on each new call the variable is defined, and as such, it's value is reset to the default, which is false I hope this makes sense for you and helps you to understand what did you miss 🫡 |
Hi @stalinMacias ... Sorry but |
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/VirtualAccount.sol#L86-L112
Vulnerability details
Impact
Loss of funds
Analysis of the vulnerability
There are three vulnerabilities in the
payableCall()
function that enable attackers to steal user funds. First vulnerability. The
payableCall
is unprotected This vulnerability enables calling external contracts on behalf of Virtual Account.
This can be use to steal ERC20 tokens for example.
Second vulnerability An overflow can be exploited .
The
_call.value
are sent as a parameter, so it is possible to overflow this.Third vulnerability EOA are ignored in the batch call and the succeed depends on the previous call.
If you send an EOA in the first call, the transaction will revert, but in the second call, it will succeed.
Proof of Concept
The attacker will construct the following malicious batch call
The transaction will succeed
Recommended
You need to fix this
Add a modifier
requiresApprovedCaller()
to protectpayableCall()
Set
succeed
to false if the call is an EOAAssessed type
Access Control
The text was updated successfully, but these errors were encountered: