Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: low
Invalid

Disable FFI cheatcodes

Summary

ffi is being imported by test script via CheatCodes.t.sol to run arbitrary code.

Vulnerability Details

ffi (Foreign Function Interface) is often used in testing environments like Foundry to allow smart contracts to interact with system-level operations or external data that are not typically accessible within the Ethereum Virtual Machine (EVM).

function testPwned() public {
string[] memory cmds = new string[](2);
cmds[0] = "touch";
cmds[1] = string.concat("youve-been-pwned-remember-to-turn-off-ffi!");
cheatCodes.ffi(cmds);
}

Impact

ffi can allow reading files, making HTTP requests, or executing system commands during tests. FFI should not be available in a production or mainnet environment due to security and decentralization concerns.

Tools Used

visual review

Recommendations

ffi can be useful for simulating various conditions and states that would be hard or impossible to replicate on mainnet.
However, it is not suitable for deployment in a production environment.
Ensure that production contracts do not include or rely on this testing feature.

set ffi = false in foundry.toml (line 10)

remove CheatCodes.t.sol file in /test/mocks/
remove import {_CheatCodes} from "./mocks/CheatCodes.t.sol"; statement from VotingBoothTest.t.sol in /test/
remove _CheatCodes cheatCodes = _CheatCodes(HEVM_ADDRESS); (line 18 VotingBoothTest.t.sol in /test/)
remove testPwned() function (line 88-93 VotingBoothTest.t.sol in /test/)
remove file 'youve-been-pwned-remember-to-turn-off-ffi!' in project root if exists

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

testPwned: ffi enabled for test

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.