Back to Dravee's contests

Nested Finance contest - Dravee's results

The one-stop Defi app to build, manage and monetize your portfolio.

General Information

Platform: Code4rena

Start Date: 15/06/2022

Pot Size: $35,000 USDC

Total HM: 1

Participants: 36

Period: 3 days

Judge: Jack the Pug

Total Solo HM: 1

Id: 137

League: ETH

Nested Finance

Findings Distribution

Researcher Performance

Rank: 16/36

Findings: 1

Award: $104.60

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNested Finance

Findings Information

🌟 Selected for report: 0xNazgul

Also found by: 0xDjango, 0xFar5eer, 0xf15ers, BowTiedWardens, Chom, Dravee, IllIllI, Meera, MiloTruck, PierrickGT, TerrierLover, _Adam, cccz, codexploder, cryptphi, delfin454000, fatherOfBlocks, hansfriese, joestakey, oyc_109, simon135

Awards

104.5965 USDC - $104.60

Labels

bug
disagree with severity
QA (Quality Assurance)
sponsor disputed
valid

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-nested/blob/b4a153c943d54755711a2f7b80cbbf3a5bb49d76/contracts/governance/OwnerProxy.sol#L9-L36

Vulnerability details

Impact

OwnerProxy's selfdestruct

Proof of Concept

While only the owner (the timelock) can call the execute function, this doesn't mean it can't be compromised or phished to call a malicious _target, which could contain a call to selfdestruct().

As selfdestruct() would be a simple OPCODE in the context of the OwnerProxy contract (which is the one using delegatecall() in execute()), this would destroy the contract.

This is a known bug in the community (see the Parity Multisig Hack): delegatecalls from contracts are dangerous.

Consider making OwnerProxy a library instead of a contract to protect it from being selfdestructed and to further protect its state (that can also be manipulated as a contract)

Alternatively, consider deploying the OwnerProxy contract using CREATE2 so that the contract could be re-created at the same pre-computed address, if need be

#0 - obatirou

2022-06-24T14:42:09Z

Disputed and disagree with severity

Nothing different from transferring the ownership to another address in terms of severity It's about wardens appreciation of our ownership architecture versus ours. We can imagine many other malicious scenarios, assuming that the Multisig/Timelock/OwnerProxy combination is not enough to prevent the protocol from being compromised.

#1 - jack-the-pug

2022-07-12T02:43:29Z

https://github.com/code-423n4/2022-06-nested/blob/b4a153c943d54755711a2f7b80cbbf3a5bb49d76/README.md#L109

In order to complete the ownership architecture, we need the OwnerProxy contract in charge of executing scripts for the Timelock (run transactions atomically).

Per the doc, OwnerProxy is a utils for gov, FWICS, arb code exe is a feature, not a bug.

Will downgrade to QA.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter