Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IsContract Function Usage #79

Closed
code423n4 opened this issue Dec 8, 2021 · 2 comments
Closed

IsContract Function Usage #79

code423n4 opened this issue Dec 8, 2021 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working invalid This doesn't seem right

Comments

@code423n4
Copy link
Contributor

Handle

defsec

Vulnerability details

Impact

the isContract function that uses EXTCODESIZE was discovered to be hackable. The function will return false if it is invoked from a contract's constructor (because the contract has not been deployed yet).

The code should be used very carefully, if at all, to avoid security hacks such as:

https://www.reddit.com/r/ethereum/comments/916xni/how_to_pwn_fomo3d_a_beginners_guide (archive)

Proof of Concept

Navigate to "https://github.com/code-423n4/2021-12-mellow/blob/6679e2dd118b33481ee81ad013ece4ea723327b5/mellow-vaults/contracts/Vault.sol#L204"
The function is allowed with isContract modifier.
However this is vulnerable implementation.
The sample code can be seen below.

Tools Used

None

Recommended Mitigation Steps

If you want to make sure that an EOA is calling your contract, a simple way is require(msg.sender == tx.origin). However, preventing a contract is an anti-pattern with security and interoperability considerations. (ethereum/solidity#683 - https://ethereum.stackexchange.com/questions/1891/whats-the-difference-between-msg-sender-and-tx-origin)
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 8, 2021
code423n4 added a commit that referenced this issue Dec 8, 2021
@code423n4
defsec issue #79
f822cd4
@loudoguno loudoguno added the need sponsor input (no confirm/acknowledg/dispute) sponsors need to evaluate the wardens claims and provide a response (confirm/acknowledge/dispute) label Dec 18, 2021
@MihanixA MihanixA added the duplicate This issue or pull request already exists label Dec 20, 2021
@MihanixA
Copy link
Collaborator

Duplicates #126 IMO

@MihanixA MihanixA removed the need sponsor input (no confirm/acknowledg/dispute) sponsors need to evaluate the wardens claims and provide a response (confirm/acknowledge/dispute) label Dec 21, 2021
@0xleastwood
Copy link
Collaborator

this does look like a duplicate. Marking as invalid.

@0xleastwood 0xleastwood added invalid This doesn't seem right and removed duplicate This issue or pull request already exists labels Jan 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@loudoguno @MihanixA @0xleastwood @code423n4