Back to ladboy233's contests

Drips Protocol contest - ladboy233's results

An Ethereum protocol for streaming and splitting funds.

General Information

Platform: Code4rena

Start Date: 25/01/2023

Pot Size: $90,500 USDC

Total HM: 3

Participants: 26

Period: 9 days

Judge: GalloDaSballo

Id: 209

League: ETH

Drips Protocol

Findings Distribution

Researcher Performance

Rank: 10/26

Findings: 1

Award: $893.97

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDrips Protocol

Findings Information

🌟 Selected for report: 0xA5DF

Also found by: 0xbepresent, ladboy233

Labels

bug
2 (Med Risk)
partial-25
sponsor disputed
duplicate-163

Awards

893.9701 USDC - $893.97

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/Caller.sol#L106

Vulnerability details

Impact

Authorization from Caller has no expiration time

Proof of Concept

In the current implementation of the Caller.sol, the author can authorize a sender to call function onbehalf of him.

/// @notice Grants the authorization of an address to make calls on behalf of the sender.
/// @param user The authorized address.
function authorize(address user) public {
	address sender = _msgSender();
	require(_authorized[sender].add(user), "Address already is authorized");
	emit Authorized(sender, user);
}

However, this authorization has no expiration time and is valid forever unless the caller remove the authorization.

This opens the door for several exploitation paths.

One party can use Social Engineering to make the other party authorize the call, and the authorized user can call

function callAs(address sender, address to, bytes memory data)
	public
	payable
	returns (bytes memory returnData)
{
	require(isAuthorized(sender, _msgSender()), "Not authorized");
	return _call(sender, to, data, msg.value);
}

Since the authorization has no expiration time, the malicious approved caller can really take time to perform malicious call such as perform sub-optimal trade on behalf of the sender and by the sender realized the exploit is already completeted.

Tools Used

Manual Review

We recommend the protocol add expiration time when giving authorization to the caller.

#0 - xmxanuel

2023-02-11T10:16:53Z

Feature request/suggestions are not a bug in my opinion.

#1 - CodeSandwich

2023-02-12T15:04:19Z

[dispute validity] If the user can be socially engineered to grant approval to a malicious actor, then it's game over for the user anyway, no time limits are going to change that. It's designed similarly to approvals in ERC-20 and ERC-721, so it's a very common strategy in the ecosystem.

#2 - c4-sponsor

2023-02-13T11:18:19Z

CodeSandwich marked the issue as sponsor disputed

#3 - GalloDaSballo

2023-02-23T12:16:01Z

While this finding is not the same as #163 I believe it somewhat points to the same issue, am going to mark as duplicate but at 25% due to lack of POC

#4 - c4-judge

2023-02-23T12:16:13Z

GalloDaSballo marked the issue as duplicate of #163

#5 - c4-judge

2023-02-23T12:16:37Z

GalloDaSballo marked the issue as partial-25

#6 - GalloDaSballo

2023-03-02T08:37:13Z

25% because less precise than 124

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter