Malicious(malfunctioning) proxy can manipulate state variable #57
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-b
Q-11
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/LooksRareAggregator.sol#L44
Vulnerability details
##Impact
A malicious (or malfunctioning) proxy contract with the same or overlapping storage layout as LooksRareAggregator can manipulate the erc20EnabledLooksRareAggregator address and set a malicious address therefore able to steal users' erc20 funds as approval is granted.
Proof of Concept
The erc20EnabledLooksRareAggregator address is set as a state variable in LooksRareAggregator contract. There is no protection against it being changed by a proxy with the same storage layout.
Tools Used
Manual auditing
Recommended Mitigation Steps
Save erc20EnabledLooksRareAggregator address in memory before delegatecall as this will not be affected
address erc20EnabledLooksRareAggregator_ = erc20EnabledLooksRareAggregator
Then check whether erc20EnabledLooksRareAggregator has not been changed after the external call
if( erc20EnabledLooksRareAggregator_ != erc20EnabledLooksRareAggregator) {
revert()
}
The text was updated successfully, but these errors were encountered: