Fractional v2 contest - 0x's results

Lines of code

https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/VaultFactory.sol#L20-L22 https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/Vault.sol#L24-L29 https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/Vault.sol#L49-L68

Vulnerability details

Impact

A mixture of Failing to initialize the implementation contract after it is deployed in the constructor of the factory contract, and allowing for the owner to delegateCall other contracts in the Vault.sol contract itself.

This will result in a permanent loss of funds.

Proof of Concept

Steps to exploit:

1. init() is called on the implementation vault contract. This will give an arbitrary address ownership over the implementation contract.
2. I can then call the external execute function on the Vault.sol contract and delegate call to a different contract I choose. Lets assume I want to delegateCall to a malicious contract that employs the selfdestruct() method.
3. Because I can delegateCall from the implementation I am able to delete the implementation contracts bytecode freezing all assets in Proxy contracts based on this implementation.

POC repo will be provided upon request.

Tools Used

Recommended Mitigation Steps

Initialize the implementation contract in the constructor of the factory contract. That will solve this issue.