First Flight #7: Horse Store
First Flight #7
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`HorseStore.huff` doesn't revert with invalid function name, causing it to call `GET_TOTAL_SUPPLY`instead

glitchr

Description

If HorseStore.huff gets called with a function which doesn't match any of the declared function signatures it will not revert but instead call the GET_TOTAL_SUPPLY function, since it is the first defined function.

dup1 __FUNC_SIG(balanceOf) eq balanceOf jumpi
dup1 __FUNC_SIG(ownerOf)eq ownerOf jumpi
totalSupply:
GET_TOTAL_SUPPLY()

Impact

The code does not revert as expected and returns a value.

Proof of concept

The following test

function testCanCallNonExistingFunction() public {
console.log("Bla", horseStore.blabla());
horseStore.mintHorse();
console.log("Bla", horseStore.blabla());
}

passes for HorseStore.huff, given that the blabla function is defined in the caller interface.

Running 1 test for test/HorseStoreHuff.t.sol:HorseStoreHuff
[PASS] testCanCallNonExistingFunction() (gas: 82060)
Logs:
Bla 0
Bla 1

Recommended mitigation

Revert the MAIN function if the called function did not match any of the declared function signatures.

dup1 __FUNC_SIG(balanceOf) eq balanceOf jumpi
dup1 __FUNC_SIG(ownerOf)eq ownerOf jumpi
+ 0x00 0x00 revert
totalSupply:
GET_TOTAL_SUPPLY()
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

MAIN() macro is not properly implemented

Any call data sent to the contract that doesn't contain a function selector will randomly mint a horse.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.