Back to peritoflores's contests

Joyn contest - peritoflores's results

Launchpad for collaborative web3 media projects with blueprints, building blocks, and community support.

General Information

Platform: Code4rena

Start Date: 30/03/2022

Pot Size: $30,000 USDC

Total HM: 21

Participants: 38

Period: 3 days

Judge: Michael De Luca

Total Solo HM: 10

Id: 104

League: ETH

Joyn

Findings Distribution

Researcher Performance

Rank: 3/38

Findings: 1

Award: $2,683.35

🌟 Selected for report: 1

🚀 Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryJoyn

Findings Information

🌟 Selected for report: peritoflores

Labels

bug
3 (High Risk)
sponsor confirmed

Awards

2683.3489 USDC - $2,683.35

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/core-contracts/contracts/CoreProxy.sol#L9

Vulnerability details

Impact

Storage collision because of lack of EIP1967 could cause conflicts and override sensible variables

Proof of Concept

contract CoreProxy is Ownable {
       address private immutable _implement;

When you implement proxies, logic and implementation share the same storage layout. In order to avoid storage conflicts EIP1967 was proposed.(https://eips.ethereum.org/EIPS/eip-1967) The idea is to set proxy variables at fixed positions (like impl and admin ).

For example, according to the standard, the slot for for logic address should be

0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc (obtained as bytes32(uint256(keccak256('eip1967.proxy.implementation')) - 1) ).

In this case, for example, as you inherits from Ownable the variable _owner is at the first slot and can be overwritten in the implementation. There is a table at OZ site that explains this scenario more in detail

https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies

section "Unstructured Storaged Proxies"

Tools Used

Manual code review

Consider using EIP1967

#0 - sofianeOuafir

2022-04-14T23:17:27Z

This is an issue we want to investigate and fix if our investigation suggests we indeed need to make improvement on that end.

At the same time, I have little idea of what is the impact of this issue. I'm not sure if it's a high risk item

#1 - deluca-mike

2022-04-22T05:51:10Z

Impact would be that an upgrade could brick a contract by simply rearranging inheritance order, or adding variables to an inherited contract, since the implantation slot will not be where it is expected. As the warden suggests, its critical that the implementation slot be fixed at an explicit location, and not an implicit location derived purely from inheritance and declaration order.

#2 - c14sh

2023-07-14T17:49:51Z

From https://discord.com/channels/810916927919620096/855206418301714453/1129366075532902451,

since it's immutable, collision is not viable. In my opinion, immutable is only enforced by compiler so collision is possible during runtime.

Would love your opinions.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter