First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`Laundrette::configureDependencies` assigns the weapon module to idx 0 which was earlier allocated to money shelf leads to problems during migrations.

shikhar229169

Summary

In the Laundrette::configureDependencies, in an array it sets up all the keycodes of modules, at idx 0 it assigns MONEY keycode but again at the same idx 0 it assigns the WEAPN keycode, which will lead to problems during migrations.

Vulnerability Details

The vulnerability is present in the Laundrette::configureDependencies function where it first assigns MONEY keycode at idx 0, and then WEAPN keycode at that same idx, as a result of which configureDependencies returns only the WEAPN keycode to the kernel while activating the policy, due to which the moduleDependents data structure is not updated with the policy that corresponds to the MONEY keycode.

Impact

The impact of this vulnerability happens during migration of the money shelf module to the money vault, when the executor calls the executeAction function for upgrading money shelf module to money vault then it invokes _upgradeModule function which involves getting all the policies that belongs to the keycode of the module being upgraded via moduleDependents but as the moduleDependents was not updated leads to no reconfiguring of module in the policy contract as a result of which it still points to the old money shelf contract.

PoC

Add the test in the file: test/EmergencyMigration.t.sol

Run the test:

forge test --mt test_MigratingTheMoneyShelfDoesNotReconfigurePolicy

function test_MigratingTheMoneyShelfDoesNotReconfigurePolicy() public {

EmergencyMigration migration = new EmergencyMigration();

MoneyVault moneyVault = migration.migrate(kernel, usdc, crimeMoney);

// the get module for keycode mapping is updated correctly

assertEq(address(kernel.getModuleForKeycode(Keycode.wrap("MONEY"))), address(moneyVault));

// but due to the vulnerability discussed the moduleDependents not being updated leads to

// no reconfiguring of the Laundrette policy contract and still points to money shelf

// the money shelf is present at slot 1 in Laundrette contract

address moneyShelfInLaundrette = address(uint160(uint256(vm.load(address(laundrette), bytes32(uint256(1))))));

assertNotEq(moneyShelfInLaundrette, address(moneyVault));

assertEq(moneyShelfInLaundrette, address(moneyShelf));

}

Tools Used

Manual Review, Unit Test in Foundry

Recommendations

Update the dependencies array in Laundrette::configureDependencies to assign WEAPN keycode at idx 1

function configureDependencies() external override onlyKernel returns (Keycode[] memory dependencies) {

dependencies = new Keycode[](2);

dependencies[0] = toKeycode("MONEY");

moneyShelf = MoneyShelf(getModuleAddress(toKeycode("MONEY")));

- dependencies[0] = toKeycode("WEAPN");

+ dependencies[1] = toKeycode("WEAPN");

weaponShelf = WeaponShelf(getModuleAddress(toKeycode("WEAPN")));

}

Now again run the above discussed tests and they fails which means the Laundrette policy is reconfigured.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Laundrette incorrect dependencies

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.