Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0x73696d616f - SplitV2 wallets created by splitFactory ownership are set to FeeManager instead of the protocol #346

Closed
sherlock-admin3 opened this issue Apr 26, 2024 · 12 comments
Closed

0x73696d616f - SplitV2 wallets created by splitFactory ownership are set to FeeManager instead of the protocol #346

sherlock-admin3 opened this issue Apr 26, 2024 · 12 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Escalation Resolved This issue's escalations have been approved/rejected Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Apr 26, 2024
edited by Evert0x
Loading

0x73696d616f

medium

SplitV2 wallets created by splitFactory ownership are set to FeeManager instead of the protocol

Summary

SplitV2 wallets created by splitFactory are supposed to be owned by the protocol, as mentioned by this comment, but it is not the case.

Vulnerability Detail

SplitV2 wallets created by splitFactory have an owner which is set in the SplitFactory::createSplit() call in FeeManager::createRoute(). The comment in the code indicates that the ownership is intended to be retained by the protocol

// Create the split. The protocol retains "ownership" to enable future use cases.

However, FeeManager is not upgradeable and does not have the functionality to call any onlyOwner functions of the created wallet.

Impact

Ownership of Split wallets is not guaranteed which could comprise future functionality or even funds, as it goes against what the protocol expected.

Code Snippet

FeeManager::createRoute()

...
// Create the split. The protocol retains "ownership" to enable future use cases.
receiver = Target({
    target: splitFactory.createSplit(
        SplitV2Lib.Split({
            recipients: targets,
            allocations: revshares,
            totalAllocation: 1e6,
            distributionIncentive: 0
        }),
        address(this),
        creator.target
        ),
    chainId: creator.chainId
});
...

Tool used

Manual Review

Vscode

Recommendation

The owner of the FeeManager is TitlesCore so the owner of the Split wallet can not be set to owner. Thus, consider making the owner of FeeManager the owner of TitlesCore (as explained in another issue, this would be done in the constructor of TitlesCore first. And then, set the owner of the Split wallet to owner().

Duplicate of #148
@github-actions github-actions bot closed this as completed May 6, 2024
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label May 6, 2024
@sherlock-admin2 sherlock-admin2 changed the title Nutty Amethyst Snake - SplitV2 wallets created by splitFactory ownership are set to FeeManager instead of the protocol 0x73696d616f - SplitV2 wallets created by splitFactory ownership are set to FeeManager instead of the protocol May 12, 2024
@sherlock-admin2 sherlock-admin2 added the Non-Reward This issue will not receive a payout label May 12, 2024
@0x73696d616f
Copy link

Escalate

This issue should be valid as it shows how the ownership of the Split Wallets is compromised as their ownership is not retained to the protocol, but to the FeeManager. FeeManager is not even upgradeable so there is nothing it can do.

@sherlock-admin3
Copy link
Contributor Author

Escalate

This issue should be valid as it shows how the ownership of the Split Wallets is compromised as their ownership is not retained to the protocol, but to the FeeManager. FeeManager is not even upgradeable so there is nothing it can do.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin4 sherlock-admin4 added the Escalated This issue contains a pending escalation label May 12, 2024
@WangSecurity
Copy link
Collaborator

As I understand the only onlyOwner function in Split Wallet is to update the split and even if it's the case and we cannot update the split, then we can make a new one? Please correct me if I'm wrong

@0x73696d616f
Copy link

Making a new split will not help as the attributions from works will be linked to the past split (wallet).

@WangSecurity
Copy link
Collaborator

Thank you for that response, but I believe report fails to show the impact:

could comprise future functionality or even funds

In the current state, I believe the report is only a recommendation. Hence, planning to reject the escalation and leave the issue as it is.

@0x73696d616f
Copy link

The wallet can:

All of this will be DoSed as the owner was not set. In any case, not setting the owner of a wallet is a severe vulnerability.

@0x73696d616f
Copy link

0x73696d616f commented May 17, 2024
edited
Loading

It's exactly like this valid issue but in a different smart contract (the Split Wallet).

@0x73696d616f
Copy link

0x73696d616f commented May 17, 2024
edited
Loading

Just highlighting that the code clearly intends to retain ownership, as show in the comment.

// Create the split. The protocol retains "ownership" to enable future use cases.

But this is not the case, as explained in the issue.

@0x73696d616f
Copy link

docs:

If the protocol team provides specific information in the README or CODE COMMENTS, that information stands above all judging rules.

@WangSecurity
Copy link
Collaborator

Be careful with the rules, there were changes to the Hierarchy of truth, but they're not applied to this contest cause it started earlier than the changes were made. The docs version for this contest are here And now, all contests have their own Rules Version right above the Total SLOC of the contest here.

About the escalation, I agree with it and believe it should be duplicated with #148 with the core issue "roles are set incorrectly or not set at all". Planning to accept the escalation and duplicate with #148.

@Evert0x Evert0x added the Medium A valid Medium severity issue label May 24, 2024
@sherlock-admin2 sherlock-admin2 added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels May 24, 2024
@Evert0x
Copy link

Evert0x commented May 24, 2024
edited
Loading

Result:
Medium
Duplicate of #148

@sherlock-admin2
Copy link

sherlock-admin2 commented May 24, 2024
edited
Loading

Escalations have been resolved successfully!

Escalation status:

@sherlock-admin3 sherlock-admin3 removed the Escalated This issue contains a pending escalation label May 24, 2024
@sherlock-admin4 sherlock-admin4 added the Escalation Resolved This issue's escalations have been approved/rejected label May 24, 2024
@sherlock-admin2 sherlock-admin2 added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels May 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Escalation Resolved This issue's escalations have been approved/rejected Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Evert0x @0x73696d616f @WangSecurity @sherlock-admin2 @sherlock-admin3 @sherlock-admin4