A malicious forwarder can replace the owner of MetaContext #305
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-377
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/utils/MetaContext.sol#L6
Vulnerability details
Impact
The origin owner will not be able to block attacks by a malicious forwarder.
Contracts inherited from MetaContext may lose owner rights.
Because MetaContext is a fundamental contract, and has been inherited by many important contracts(StableToken, StableVault, Position, Trading, GovNFT, etc), its vulnerability may have a great impact.
Proof of Concept
The owner can add any forwarder to MetaContext.
A malicious forwarder may be added by owner if:
The malicious forwarder would at first time call
transferOwnership()
as the owner to get the ownership, so that no one can block its subsequent attacks.Here is an example of this attack:
Test output:
Tools Used
VS Code
Recommended Mitigation Steps
The forwarder should be prohibited from acting as the owner:
The text was updated successfully, but these errors were encountered: