Fractional v2 contest - 0xNazgul's results

Lines of code

https://github.com/code-423n4/2022-07-fractional/blob/main/src/Vault.sol#L115-L139

Vulnerability details

Impact

_execute() allows the vault owner to delegatecall any contract with any arbitrary action.

Proof of Concept

1. Mallory deploys vault with Buyout.sol plugin. Does a successful fractional sale that she profits enough from and withdrawals all her value in the Buyout.sol contract.
2. Mallory then deploys a contract like so:

pragma solidity 0.8.13;

contract Attack {
    function kill(address killed) public payable {
        selfdestruct(payable(killed));
    }

    function encode(address contract) public pure returns (bytes memory) {
         return(abi.encodeWithSignature("kill(address)", address(killed)));
    }
}

3. She then takes her encoded message/contract address and uses it in execute() which will self destruct the vault and prevents users from being able to withdraw.

Tools Used

Manual Review

Recommended Mitigation Steps

Whitelist addresses of contracts that the vaults can delegatecall.

Lack of Event Emission For Critical Functions

Severity: Low Context: FERC1155.sol#L198-L200

Description: Several functions update critical parameters that are missing event emission. These should be performed to ensure tracking of changes of such critical parameters.

Recommendation: Add events to functions that change critical parameters.

Missing Time locks

Severity: Low Context: FERC1155.sol#L217-L236

Description: When critical parameters of systems need to be changed, it is required to broadcast the change via event emission and recommended to enforce the changes after a time-delay. This is to allow system users to be aware of such critical changes and give them an opportunity to exit or adjust their engagement with the system accordingly. None of the onlyOwner functions that change critical protocol addresses/parameters have a time lock for a time-delayed change to alert: (1) users and give them a chance to engage/exit protocol if they are not agreeable to the changes (2) team in case of compromised owner(s) and give them a chance to perform incident response.

Recommendation: Users may be surprised when critical parameters are changed. Furthermore, it can erode users' trust since they can’t be sure the protocol rules won’t be changed later on. Compromised owner keys may be used to change protocol addresses/parameters to benefit attackers. Without a time-delay, authorised owners have no time for any planned incident response.

Missing Equivalence Checks in Setters

Severity: Low Context: FERC1155.sol#L186-L225

Description: Setter functions are missing checks to validate if the new value being set is the same as the current value already set in the contract. Such checks will showcase mismatches between on-chain and off-chain states.

Recommendation: This may hinder detecting discrepancies between on-chain and off-chain states leading to flawed assumptions of on-chain state and protocol behavior.

Missing Zero-address Validation

Severity: Low Context: Buyout.sol#L42-L50, Migration.sol#L53-L60, Minter.sol#L17-L19, BaseVault.sol#L24-L26, SupplyReference.sol#L15-L17, Supply.sol#L15-L18, Metadata.sol#L15-L18

Description: Lack of zero-address validation on address parameters may lead to transaction reverts, waste gas, require resubmission of transactions and may even force contract redeployments in certain cases within the protocol.

Recommendation: Add explicit zero-address validation on input parameters of address type.

receive() Function Should Emit An Event

Severity: Low Context: Buyout.sol#L53, Migration.sol#L63

Description: Consider emitting an event inside this function with msg.sender and msg.value as the parameters. This would make it easier to track incoming ether transfers.

Recommendation: Add events to the receive() functions.

TODOs Left In The Code

Severity: Informational Context: MerkleBase.sol#L24

Description: There should never be any TODOs in the code when deploying.

Recommendation: Finish the TODOs before deploying.

Spelling Errors

Severity: Informational Context: BaseVault.sol#L97 (_datas => _data), BaseVault.sol#L104 (_datas => _data), BaseVault.sol#L113 (_datas => _data), SafeSend.sol#L15 (attemping => attempting)

Description: Spelling errors in comments can cause confusion to both users and developers.

Recommendation: Check all misspellings to ensure they are corrected.

State Variables That Can Be Set To Immutable

Context: Minter.sol#L14

Description: Solidity 0.6.5 introduced immutable as a major feature. It allows setting contract-level variables at construction time which gets stored in code rather than storage. Each call to it reads from storage, using a sload costing 2100 gas cold or 100 gas warm. Setting it to immutable will have each storage read of the state variable to be replaced by the instruction push32 value, where value is set during contract construction time and this costs only 3 gas.

Recommendation: Set the state variable to immutable

Use ++index instead of index++ to increment a loop counter

Context: Vault.sol#L78-L80, Vault.sol#L104-L106

Description: Due to reduced stack operations, using ++index saves 5 gas per iteration.

Recommendation: Use ++index to increment a loop counter.

The Increment In For Loop Post Condition Can Be Made Unchecked

Context: Vault.sol#L78-L80, Vault.sol#L104-L106, BaseVault.sol#L107-L116, BaseVault.sol#L130-L136 (For both)

Description: (This is only relevant if you are using the default solidity checked arithmetic). i++ involves checked arithmetic, which is not required. This is because the value of i is always strictly less than length <= 2**256 - 1. Therefore, the theoretical maximum value of i to enter the for-loop body is 2**256 - 2. This means that the i++ in the for loop can never overflow. Regardless, the overflow checks are performed by the compiler.

Unfortunately, the Solidity optimizer is not smart enough to detect this and remove the checks. One can manually do this by:

for (uint i = 0; i < length; i = unchecked_inc(i)) {
    // do something that doesn't change the value of i
}

function unchecked_inc(uint i) returns (uint) {
    unchecked {
        return i + 1;
    }
}

Note that it’s important that the call to unchecked_inc is inlined. This is only possible for solidity versions starting from 0.8.2.

Recommendation: The increment in the for loop post condition can be made unchecked.

Catching The Array Length Prior To Loop

Context: Buyout.sol#L454-L461, BaseVault.sol#L64-L69, BaseVault.sol#L83-L88, BaseVault.sol#L107-L116, BaseVault.sol#L130-L136 (For both), MerkleBase.sol#L51-L54, MerkleBase.sol#L110-L117

Description: One can save gas by caching the array length (in stack) and using that set variable in the loop. Replace state variable reads and writes within loops with local variable reads and writes. This is done by assigning state variable values to new local variables, reading and/or writing the local variables in a loop, then after the loop assigning any changed local variables to their equivalent state variables.

Recommendation: Simply do something like so before the for loop: uint length = variable.length. Then add length in place of variable.length in the for loop.

Setting The Constructor To Payable

Context: All Contracts

Description: You can cut out 10 opcodes in the creation-time EVM bytecode if you declare a constructor payable. Making the constructor payable eliminates the need for an initial check of msg.value == 0 and saves 21 gas on deployment with no security risks.

Recommendation: Set the constructor to payable.

Function Ordering via Method ID

Context: All Contracts

Description: Contracts most called functions could simply save gas by function ordering via Method ID. Calling a function at runtime will be cheaper if the function is positioned earlier in the order (has a relatively lower Method ID) because 22 gas are added to the cost of a function for every position that came before it. The caller can save on gas if you prioritize most called functions. One could use This tool to help find alternative function names with lower Method IDs while keeping the original name intact.

Recommendation: Find a lower method ID name for the most called functions for example mostCalled() vs. mostCalled_41q() is cheaper by 44 gas.