Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FunctionAdminRequired modifier does not specify any granular security around function permissions per contract or per collection #1425

Closed
c4-submissions opened this issue Nov 13, 2023 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-303 sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenAdmins.sol#L44

Vulnerability details

Impact

FunctionAdminRequired modifier, widely used throughout the NextGen codebase, does not specify any granular security around function permissions per contract/collection. This opens up potentially significant security issues in terms of actors intentionally given FunctionAdmin access for a given function selector unintentionally gaining FunctionAdmin access to functions with the same selector on different contracts. Additionally, with no specification on which collection(s) the FunctionAdmins are granted access for for a given function selector, a bad actor that may deserve permissions to a given function for, say, Collection #1 but not Collection #2 will thus have access to calling the function by selector on both Collections #1 and #2. This vulnerability deals with access control of trusted (and potentially untrusted) actors, and puts the protocol at risk.

Proof of Concept

    function retrieveFunctionAdmin(address _address, bytes4 _selector) public view returns(bool) {
        return functionAdmin[_address][_selector];
    }

NextGenAdmins.retrieveFunctionAdmin is used widely in many of NextGen's contracts. As you can see, it only establishes access for a given address's permission for a function selector, with no additional security control.

Exploit Case 1: Same function name, different contracts

  • whether referring to currently launched contracts or future, yet-to-be-deployed contracts, contracts that may have functions declared with the same name will clearly have security issues, as any actors permissioned with FunctionAdmin rights for that function selector in the past intentionally, will in the present or future unintentionally also have permissions for that function on other contracts that may not have been accounted for by the NextGen team.

Exploit Case 2: Different functions with different names that hash to the same bytes4 selector value

  • similarly, though rare but not rare enough to discount how big of a security loophole this is, functions with different signatures can hash to the same bytes4 selector. Obvious how this could lead to unintentional, and even more difficult to debug than Case 1, selector clashes.

Tools Used

Solidity

Recommended Mitigation Steps

More granular control via the following:

// sets permission on specific function per contract
mapping(address => mapping(address => mapping(bytes4 => bool))) private functionAdminByContract;

// sets permission on specific function per collection
mapping(address => mapping(address => mapping(bytes4 => bool))) private functionAdminByCollection;
  
function registerFunctionAdminByContract(address _address, address _contract_address, bytes4 _selector, bool _status) public AdminRequired { 
      functionAdminByContract[_address][_contract_address][_selector] = _status;
}

function registerFunctionAdminByCollection(address _address, address _collection_address, bytes4 _selector, bool _status) public AdminRequired { 
      functionAdminByCollection[_address][_collection_address][_selector] = _status;
}

Assessed type

Access Control

@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 13, 2023
c4-submissions added a commit that referenced this issue Nov 13, 2023
@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Nov 19, 2023
@c4-pre-sort
Copy link

141345 marked the issue as sufficient quality report

@c4-sponsor
Copy link

a2rocket (sponsor) disputed

@c4-sponsor c4-sponsor added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Nov 23, 2023
@a2rocket
Copy link

this is the intended design, function admins are trusted users.

@c4-judge
Copy link

c4-judge commented Dec 7, 2023

alex-ppg marked the issue as duplicate of #303

@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as unsatisfactory:
Overinflated severity

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Dec 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-303 sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Development

No branches or pull requests

5 participants