JSON injection and xss through ERC20 symbol when generating tokenUri
#4
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
primary issue
Highest quality submission among a set of duplicates
🤖_primary
AI based primary recommendation
🤖_06_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L46-L47
https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L69-L112
Vulnerability details
Impact
The
tokenURI
function usessafeERC20Symbol
function in panoptic math to get token symbols but doesn't sanitize it. This causes that any special charcacters can be introduced into the factory NFTs token uri leading to a host of JSON injection attack vectors. The use of SVG is well known to be often vulnerable to Cross-Site Scripting (XSS). If a malicious user can inject malicious JavaScript into an SVG file, any user viewing the SVG on a website may become susceptible to XSS attacks. Considering that anyone can create an ERC20 token, a uniswap pool and a panoptic pool or use the token symbol includes special characters, this can be weaponized by attackers to execute malicious codes on the frontend for instance, running a keylogger script to collect all inputs typed by a user including his password or to create a fake Metamask pop up asking a user to sign a malicious transaction to steal his funds in users. Even while the front end processes securely, such as using the standard builtin JSON.parse() to read URI. This can also be exploited by replacing factory nft 's svg with arbitrary other ones such as creating NFTs containing same art piece data with existing high price NFTs, or other legally risky svgs like gore or pornography images. More about this can be read here, here and hereProof of Concept
When constructing metadata for the
tokenUri
, the metadata is constructed first getting the uniswap pools' token symbols. It does this using thesafeERC20Symbol
function.The
safeERC20Symbol
function simply queries the symbol without actually sanitizing the returned symbols. No check for symbol length, and no check for special characters.This is then used to construct the metadata and to generate the svg info. Notice how the characters are still not sanitized
This is dangerous as it can be weaponized to insert extra arbitrary data altering the integrity of the JSON data.
Tools Used
Manual code review
Recommended Mitigation Steps
Sanitize input data according: https://github.com/OWASP/json-sanitizer
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: