Platform: Code4rena
Start Date: 22/09/2023
Pot Size: $100,000 USDC
Total HM: 15
Participants: 175
Period: 14 days
Judge: alcueca
Total Solo HM: 4
Id: 287
League: ETH
Rank: 173/175
Findings: 1
Award: $0.11
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xTheC0der
Also found by: 0x180db, 0xDING99YA, 0xRstStn, 0xTiwa, 0xWaitress, 0xblackskull, 0xfuje, 3docSec, Aamir, Black_Box_DD, HChang26, Hama, Inspecktor, John_Femi, Jorgect, Kek, KingNFT, Kow, Limbooo, MIQUINHO, MrPotatoMagic, NoTechBG, Noro, Pessimistic, QiuhaoLi, SovaSlava, SpicyMeatball, T1MOH, TangYuanShen, Vagner, Viktor_Cortess, Yanchuan, _eperezok, alexweb3, alexxander, ast3ros, ayden, bin2chen, blutorque, btk, ciphermarco, ether_sky, gumgumzum, gztttt, hals, imare, its_basu, joaovwfreire, josephdara, klau5, kodyvim, ladboy233, marqymarq10, mert_eren, minhtrng, n1punp, nobody2018, oada, orion, peakbolt, peritoflores, perseverancesuccess, pfapostol, rvierdiiev, stuxy, tank, unsafesol, ustas, windhustler, zambody, zzzitron
0.1127 USDC - $0.11
https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L101
The vulnerability allows attackers to execute arbitrary code in external contracts, potentially resulting in unauthorized actions, token theft, and other security breaches. The impact of this finding includes:
Arbitrary Code Execution: Attackers can craft malicious call data and execute unauthorized actions in external contracts, posing a severe security risk.
Token Theft: By exploiting this vulnerability, attackers can steal tokens or assets from users' addresses, leading to financial losses and potential reputation damage.
/// @inheritdoc IVirtualAccount function payableCall(PayableCall[] calldata calls) public payable returns (bytes[] memory returnData) { uint256 valAccumulator; uint256 length = calls.length; returnData = new bytes[](length); PayableCall calldata _call; for (uint256 i = 0; i < length;) { _call = calls[i]; uint256 val = _call.value; // Humanity will be a Type V Kardashev Civilization before this overflows - andreas // ~ 10^25 Wei in existence << ~ 10^76 size uint fits in a uint256 unchecked { valAccumulator += val; } bool success; if (isContract(_call.target)) (success, returnData[i]) = _call.target.call{value: val}(_call.callData); if (!success) revert CallFailed(); unchecked { ++i; } } // Finally, make sure the msg.value = SUM(call[0...i].value) if (msg.value != valAccumulator) revert CallFailed(); }
ack scenario: attacker call payableCall and pass data as _call.target is the malicious contract _call.callData can be abi.encodeWithSelector( ERC20.transferFrom.selector, victim, attacker, token.balanceOf(victim) ) thus attacker will steal the users tokens .
Manual review
Access Control: Implement access control mechanisms to restrict who can invoke the call and payableCall functions. Only authorized users or contracts should be allowed to use these functions.
Data Validation: Perform thorough validation of the provided _calls or PayableCall[] data to ensure that the calls do not execute arbitrary or malicious code. Consider using a whitelist of trusted contract addresses or restricting the types of calls that can be made.
Code Audits: Conduct code audits and security reviews to identify and address
call/delegatecall
#0 - c4-pre-sort
2023-10-09T07:06:24Z
0xA5DF marked the issue as duplicate of #888
#1 - c4-pre-sort
2023-10-09T07:06:29Z
0xA5DF marked the issue as sufficient quality report
#2 - c4-judge
2023-10-26T11:33:03Z
alcueca marked the issue as satisfactory