NestedFactory.addOperator/removeOperator have no effect until importOperators #62
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
Comments
code423n4
added
2 (Med Risk)
|
Duplicated : #38 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-02-nested/blob/main/contracts/FeeSplitter.sol#L155
Vulnerability details
Impact
addOperator/removeOperatorbeing run alone don't have any effect, as the cache is used in operations, which is only updated when an implementation is added or removed viaimportOperators.If an operation is added via
addOperator, butimportOperatorsisn't yet called, the cache doesn't include new operation and it's not usable.More dangerously, when operator is removed with
removeOperator, it is still can be used, even ifrebuildCacheswas called after that, as an operator is removed from cache only when implementation is zero, so until that is done viaimportOperators, the deleted operator can be still called by user facing functions.If operator removal was linked to security considerations this opens up an attack surface, when a malicious user front runs
importOperators, invoking the operator to be deleted as it’s still in the cache and can be accessed withcallOperator.This dependency was described among other points in code-423n4/2021-11-nested-findings#139, but isn't yet addressed, as the need of atomic run and now corrected
removeOperatorimplementation were independent issues.Proof of Concept
NestedFactory.addOperator/removeOperator only manage the
operatorsarray:https://github.com/code-423n4/2022-02-nested/blob/main/contracts/NestedFactory.sol#L100-122
rebuildCachesremove operator from cache only after its implementation is set to zero:https://github.com/code-423n4/2022-02-nested/blob/main/contracts/OperatorResolver.sol#L74
https://github.com/code-423n4/2022-02-nested/blob/main/contracts/abstracts/MixinOperatorResolver.sol#L36-45
importOperatorsis effectively adds and removes operators by changing their implementation:https://github.com/code-423n4/2022-02-nested/blob/main/contracts/OperatorResolver.sol#L52-70
This way
addOperator/removeOperatorshould only be run atomically withimportOperatorswithin one transaction to prevent front running.Recommended Mitigation Steps
As both
addOperator/removeOperatoraren't effective alone, whileaddOperator/removeOperatorandimportOperatorsare both only owner run, and, given that this functions are basically two parts of one operation, consider addimportOperatorscall toaddOperator/removeOperator.addOperator/removeOperatorarguments to be expanded to includeOperatorstructure to be set for the operator viaimportOperators.The text was updated successfully, but these errors were encountered: