Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Integer Overflow in _calculateSalt Function

baouch21

Summary

In the _calculateSalt function, the salt is generated by concatenating three components: the contest organizer's address, the contest ID, and the implementation address. If the concatenation of these components results in a value that is larger than the maximum representable integer, the result of the hash operation will be unpredictable and could lead to unexpected proxy contract addresses.

Vulnerability Details

The vulnerable part in code :

/// @dev Calculate salt using contest organizer address and contestId, implementation address

/// @dev This is an internal function

/// @param organizer The contest organizer

/// @param contestId The contest id

/// @param implementation The implementation address

function _calculateSalt(address organizer, bytes32 contestId, address implementation)

internal

pure

returns (bytes32)

{

return keccak256(abi.encode(organizer, contestId, implementation));

}

Here is a poc of exploiting the vulnerability

// Attacker's crafted contest ID

const craftedContestId = "0x1234567800000000000000000000000000000000000000000000000000000000";

// Attacker's malicious implementation address

const maliciousImplementation = "0xAddressOfMaliciousImplementation";

// Crafted salt with manipulated high bits

const manipulatedSalt = web3.utils.soliditySha3(

{ t: 'address', v: attackerAddress },

{ t: 'bytes32', v: craftedContestId },

{ t: 'address', v: maliciousImplementation }

);

// Deploy proxy with manipulated salt and malicious implementation

const proxyAddress = await proxyFactory.getProxyAddress(manipulatedSalt, maliciousImplementation);

Impact

The creation of proxy contracts succumbs to the attacker's will, potentially leading to the exploitation of vulnerabilities in puppet contracts.

Exploit Path:

The attacker crafts a contest ID designed to manipulate the high bits of the organizer's address.
The attacker forms a salt using this crafted contest ID and their own implementation address.
The manipulated salt opens a gateway to unpredictable proxy contract creation.
As the implementation is selected by the attacker, a puppet contract emerges

Tools Used

Manual review

Recommendations

using a counter or nonce specific to each organizer's contests

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.