The test suites provided by the VotingBooth team includes a function named testPwned
, which creates a file on user machine. It's capable of executing arbitrary code on user machine.
testPwned
function in test suite uses foundry ffi
command to execute arbitrary code on caller machine. Check the function below.
This function is not related to smart contract unit testing in any way.
User who will run forge test
will run it in background, leading to executing code. Although this just create a file youve-been-pwned-remember-to-turn-off-ffi!
to aware upcoming security researcher.
But ffi
is powerful enough to do almost anything before user actually noticing. Anyone who is controlling the test suite can call anything. From taking api to passwords, or dropping a malicious file. Possibilities are endless. Read More
Arbitrary code execution on user machine
Manual review
Turn off the ffi
before running test suite
Always check the reliability of the code, you're trying to execute. If you don't understand the code, Don't run it.
User a isolated system, if you still want to run the code without having a precheck.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.