Back to aga7hokakological's contests

LI.FI contest - aga7hokakological's results

Bridge & DEX Aggregation.

General Information

Platform: Code4rena

Start Date: 24/03/2022

Pot Size: $75,000 USDC

Total HM: 15

Participants: 59

Period: 7 days

Judge: gzeon

Id: 103

League: ETH

LI.FI

Findings Distribution

Researcher Performance

Rank: 50/59

Findings: 1

Award: $113.84

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLI.FI

Findings Information

🌟 Selected for report: hake

Also found by: 0v3rf10w, 0xDjango, 0xkatana, BouSalman, CertoraInc, Dravee, Hawkeye, IllIllI, JMukesh, Jujic, Kenshin, PPrieditis, Picodes, PranavG, Ruhum, SolidityScan, VAD37, WatchPug, aga7hokakological, catchup, csanuragjain, cthulhu_cult, defsec, dimitri, hickuphh3, hubble, hyh, kenta, kirk-baird, obront, peritoflores, rayn, robee, saian, samruna, shenwilly, shw, sorrynotsorry, tchkvsky, teryanarmen, ych18

Awards

113.8424 USDC - $113.84

Labels

bug
disagree with severity
sponsor acknowledged
QA (Quality Assurance)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-03-lifinance/blob/main/src/LiFiDiamond.sol#L42-L58

Vulnerability details

Impact

If the proxy delegates to an incorrect address, or implementation that has been destructed, the call to the implementation will return success even though no code was executed

Proof of Concept

According to the blogpost of there is no contract existence check for facet contract which has been used https://blog.trailofbits.com/2020/10/30/good-idea-bad-design-how-the-diamond-standard-falls-short/

 assembly {
            // copy function selector and any arguments
            calldatacopy(0, 0, calldatasize())
            // execute function call using the facet
            let result := delegatecall(gas(), facet, 0, calldatasize(), 0, 0)
            // get any return value
            returndatacopy(0, 0, returndatasize())
            // return any return value or error back to the caller
            switch result
            case 0 {
                revert(0, returndatasize())
            }
            default {
                return(0, returndatasize())
            }
        }

Tools Used

Manual analysis

Always check for contract existence when calling an arbitrary contract.

#0 - H3xept

2022-04-13T13:43:01Z

There are checks for contract existence upon facet addition. This issue could only arise in the event of facet contract self destruct - which we do not intend to implement.

#1 - gzeoneth

2022-04-16T17:47:43Z

Downgrading to Low/QA. Treating as warden's QA Report.

#2 - JeeberC4

2022-04-17T04:21:33Z

Preserving original title: No contract existence check on LiFiDiamond.sol#fallback() function

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter