Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #5

Open
code423n4 opened this issue Jun 9, 2022 · 2 comments
Open

QA Report #5

code423n4 opened this issue Jun 9, 2022 · 2 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

code423n4 commented Jun 9, 2022
edited by 0xleastwood
Loading

Double Initialize on Diamond Init

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/connext/facets/upgrade-initializers/DiamondInit.sol#L36

Vulnerability details

Impact

An attacker could Double Initialize the Diamond Init contract due to unsafe checks.

Proof of Concept

  1. Clone the Contest Repo.
  2. Start Remixd and go to Remix website and connect with local host
  3. Open DiamondInit contract.
  4. Compile it and call the init function multiple times with different arguments and accounts.

Tools Used

Remixd and Remix

Root Cause

There is no Standard Initializer modifier on init function. It seems the contract sets the s.initalized = true but this cannot be a valid check because I was able to call it multiple times on testing.

Recommended Mitigation Steps

Use Initializer modifier on Openzepplin library.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jun 9, 2022
code423n4 added a commit that referenced this issue Jun 9, 2022
@code423n4
ch13fd357r0y3r issue #5
529d82d
This was referenced Jun 19, 2022
Open
Open
@LayneHaber LayneHaber added sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) labels Jun 25, 2022
@LayneHaber
Copy link
Collaborator

connext/monorepo@bf46e73

@0xleastwood
Copy link
Collaborator

I disagree with the validity of this finding. init() can be called multiple times, but subsequent calls to this function have no affect on the state of the contract. Hence, I will downgrade this to QA.

@0xleastwood 0xleastwood changed the title Double Initialize on Diamond Init QA Report Aug 2, 2022
@0xleastwood 0xleastwood added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Aug 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LayneHaber @0xleastwood @code423n4