Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Virtual account lacks access control #888

Closed
c4-submissions opened this issue Oct 6, 2023 · 6 comments
Closed

Virtual account lacks access control #888

c4-submissions opened this issue Oct 6, 2023 · 6 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-885 satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/VirtualAccount.sol#L85

Vulnerability details

Impact

The Virtual Account lacks access control on a function that allows arbitrary calls. This enables anyone to take any assets contained within the account.

Proof of Concept

The Virtual account has the requiresApprovedCaller modifier to prevent use from non-approved actors:

    modifier requiresApprovedCaller() {
        if (!IRootPort(localPortAddress).isRouterApproved(this, msg.sender)) {
            if (msg.sender != userAddress) {
                revert UnauthorizedCaller();
            }
        }
        _;
    }

However, the payableCall function is missing that modifier:

    function payableCall(PayableCall[] calldata calls) public payable returns (bytes[] memory returnData) {
        uint256 valAccumulator;
        uint256 length = calls.length;
        returnData = new bytes[](length);
        PayableCall calldata _call;
        for (uint256 i = 0; i < length;) {
            _call = calls[i];
            uint256 val = _call.value;
            // Humanity will be a Type V Kardashev Civilization before this overflows - andreas
            // ~ 10^25 Wei in existence << ~ 10^76 size uint fits in a uint256
            unchecked {
                valAccumulator += val;
            }

            bool success;

            if (isContract(_call.target)) (success, returnData[i]) = _call.target.call{value: val}(_call.callData);

            if (!success) revert CallFailed();

            unchecked {
                ++i;
            }
        }

        // Finally, make sure the msg.value = SUM(call[0...i].value)
        if (msg.value != valAccumulator) revert CallFailed();
    }

Since this function performs arbitrary calls with arbitrary msg.values, this allows anyone to take all assets from the contract.

Tools Used

Manual Review

Recommended Mitigation Steps

Add the requiresApprovedCaller modifier to the payableCall function (just like all other critical functions have it)

Assessed type

Other
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Oct 6, 2023
c4-submissions added a commit that referenced this issue Oct 6, 2023
@c4-submissions
minhtrng issue #888
9342af5
@c4-pre-sort
Copy link

0xA5DF marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Oct 8, 2023
This was referenced Oct 8, 2023
Closed
Open
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Oct 8, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@c4-pre-sort
Copy link

0xA5DF marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Oct 8, 2023
This was referenced Oct 9, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Oct 15, 2023
Open
Closed
Open
@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Oct 16, 2023
@c4-sponsor
Copy link

0xBugsy (sponsor) confirmed

This was referenced Oct 21, 2023
Closed
Closed
@alcueca
Copy link

alcueca commented Oct 26, 2023

I also found this one, for the record. My reward will be distributed among the wardens.

@c4-judge
Copy link
Contributor

alcueca marked issue #885 as primary and marked this issue as a duplicate of 885

@c4-judge c4-judge added duplicate-885 satisfactory satisfies C4 submission criteria; eligible for awards and removed primary issue Highest quality submission among a set of duplicates labels Oct 26, 2023
@c4-judge
Copy link
Contributor

alcueca marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-885 satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alcueca @c4-judge @c4-sponsor @c4-pre-sort @c4-submissions