DeFiHardhatFoundry
250,000 USDC
View results
Submission Details
Severity: high
Invalid

Unsafe Delegatecall in Diamond.sol

Summary

The Diamond contract uses a delegatecall to invoke functions on other contracts. However, it does not verify if the callee contract is trustworthy or not, which can potentially allow an attacker to take over the contract.

Vulnerability Details

In the Diamond contract, the fallback function uses a delegatecall to invoke functions on other contracts. Delegatecall is a low-level function that allows one contract to execute the code of another contract, while maintaining the context of the original contract. This means that when Diamond contract uses delegatecall, it allows the callee contract to modify its state variables.

Here is the code snippet with the issue:

fallback() external payable {
LibDiamond.DiamondStorage storage ds;
bytes32 position = LibDiamond.DIAMOND_STORAGE_POSITION;
assembly {
ds.slot := position
}
address facet = ds.facetAddressAndSelectorPosition[msg.sig].facetAddress;
require(facet != address(0), "Diamond: Function does not exist");
assembly {
calldatacopy(0, 0, calldatasize())
let result := delegatecall(gas(), facet, 0, calldatasize(), 0, 0)
returndatacopy(0, 0, returndatasize())
switch result
case 0 {
revert(0, returndatasize())
}
default {
return(0, returndatasize())
}
}
}

The problem here is that there is no verification on the facet contract to which the delegatecall is being made. If an attacker can somehow make the contract delegatecall to a malicious contract, they can manipulate the state variables of the Diamond contract.

Impact

An attacker could potentially exploit this vulnerability to take over the Diamond contract. This can lead to a complete loss of funds for the contract holders.

Tools Used

Manual Review

Recommendations

  1. Deploy the Diamond contract and a malicious contract.

  2. Make the Diamond contract delegatecall to the malicious contract.

  3. The malicious contract modifies the state variables of the Diamond contract, taking over the contract.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.