Back to Czar102's contests

Connext Amarok contest - Czar102's results

The interoperability protocol of L2 Ethereum.

General Information

Platform: Code4rena

Start Date: 08/06/2022

Pot Size: $115,000 USDC

Total HM: 26

Participants: 72

Period: 11 days

Judge: leastwood

Total Solo HM: 14

Id: 132

League: ETH

Connext

Findings Distribution

Researcher Performance

Rank: 14/72

Findings: 2

Award: $1,424.85

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryConnext

Findings Information

🌟 Selected for report: Czar102

Also found by: shenwilly

Labels

bug
2 (Med Risk)
resolved
sponsor confirmed

Awards

1169.1572 USDC - $1,169.16

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/facets/DiamondCutFacet.sol#L16-L29 https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/libraries/LibDiamond.sol#L94-L118 https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/libraries/LibDiamond.sol#L222-L240

Vulnerability details

Impact

Diamond is to be upgraded after a certain delay to give time to the community to verify changes made by the developers. If the proposition can be falsified, the contract admins can exploit the contract in any way of their choice.

Proof of Concept

To determine the id of the proposal, only its facet changes are hashed, skipping two critical pieces of data - the _init and _calldata. During a diamond upgrade, devs can choose what code will be executed by the contract using a delegatecall. Thus, they can make the contract perform any actions of their choice.

Tools Used

Manual analysis

Add _init and _calldata to the proposition hash.

#0 - jakekidd

2022-06-27T02:21:50Z

Resolved by https://github.com/connext/nxtp/commit/63badc862f1aea54082c797cee08949a7bb95d9f

#1 - 0xleastwood

2022-08-02T04:24:04Z

I consider this to be severe, however, it does require a malicious or compromised governance. Because of this, I would prefer to have this downgraded to medium severity.

Findings Information

🌟 Selected for report: GimelSec

Also found by: Czar102, Lambda, csanuragjain, minhquanym, shenwilly

Labels

bug
duplicate
2 (Med Risk)

Awards

255.6947 USDC - $255.69

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/facets/DiamondCutFacet.sol#L16-L29 https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/libraries/LibDiamond.sol#L94-L118 https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/libraries/LibDiamond.sol#L222-L240

Vulnerability details

Impact

The diamond shall be monitored externally to remove the need of trust to developers. If a timelock can be bypassed, it poses a threat as people who weren't trusted can exploit the system.

Additionally, the contract can immediately perform any delegatecall of owner's choice.

Proof of Concept

    require(
      diamondStorage().acceptanceTimes[keccak256(abi.encode(_diamondCut))] < block.timestamp,
      "LibDiamond: delay not elapsed"
    );

The above code isn't enough verification if the delay elapsed, if the hash was never used before, then this check will pass as the value read from storage is 0. This means that th change hasn't been proposed, but that isn't checked.

Tools Used

Manual analysis

Require that the value read is nonzero and less than the current timestamp.

#0 - LayneHaber

2022-06-21T22:56:13Z

Duplicate of #215

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter