First Flight #16: Mafia Takedown
First Flight #16
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[M-1] Misconfigured dependencies in `Laundrette` contract can lead to potential vulnerabilities in the future

Keyword

Description: The Laundrette::configureDependencies function incorrectly assigns the dependencies for the MONEY and WEAPN keycodes. The function assigns both keycodes to the same index in the dependencies array, causing the MONEY keycode to be overwritten by the WEAPN keycode. As a result, only WEAPN is correctly registered as a dependency in the Kernel contract.

Impact: Future Policies or Modules that rely on the correct registration of the MONEY keycode may encounter failures in permission assignments or role-based access control. Upgradability and maintenance risks. As the protocol evolves and Modules are upgraded, the Kernel's dependency management may become inconsistent, leading to complex bugs.

Proof of Concepts: Add the following lines of code in the Laundrette.t.sol file.

PoC - click the arrow below
// change imports
import { Kernel, Policy, Permissions, Keycode, Role, Actions } from "src/Kernel.sol";
function testIncorrectDependencies() public {
// Check the dependent index for the MONEY keycode
Keycode moneyKeycode = Keycode.wrap(bytes5("MONEY"));
uint256 moneyIndex = kernel.getDependentIndex(moneyKeycode, laundrette);
console.log("Dependent Index for MONEY:", moneyIndex);
// Check the dependent index for the WEAPN keycode
Keycode weapnKeycode = Keycode.wrap(bytes5("WEAPN"));
uint256 weapnIndex = kernel.getDependentIndex(weapnKeycode, laundrette);
console.log("Dependent Index for WEAPN:", weapnIndex);
// Verify the module dependents for each keycode
uint256 moneyDependentsLength = getModuleDependentsLength(moneyKeycode);
uint256 weapnDependentsLength = getModuleDependentsLength(weapnKeycode);
console.log("Number of dependents for MONEY keycode:", moneyDependentsLength);
console.log("Number of dependents for WEAPN keycode:", weapnDependentsLength);
// Ensure Laundrette is in the dependents list for both keycodes
bool foundInMoney = isDependentPresent(moneyKeycode, laundrette);
bool foundInWeapn = isDependentPresent(weapnKeycode, laundrette);
console.log("Laundrette found in MONEY dependents:", foundInMoney);
console.log("Laundrette found in WEAPN dependents:", foundInWeapn);
assertTrue(foundInMoney, "Laundrette should be a dependent of MONEY");
assertTrue(foundInWeapn, "Laundrette should be a dependent of WEAPN");
}
function getModuleDependentsLength(Keycode keycode) internal view returns (uint256) {
uint256 count = 0;
for (uint256 i = 0;; i++) {
try kernel.moduleDependents(keycode, i) returns (Policy) {
count++;
} catch {
break;
}
}
return count;
}
function isDependentPresent(Keycode keycode, Policy policy) internal view returns (bool) {
for (uint256 i = 0;; i++) {
try kernel.moduleDependents(keycode, i) returns (Policy dependent) {
if (dependent == policy) {
return true;
}
} catch {
break;
}
}
return false;
}

Test output

Logs:
⚠️ You have deployed a mock conract!
Make sure this was intentional
Dependent Index for MONEY: 0
Dependent Index for WEAPN: 0
Number of dependents for MONEY keycode: 0
Number of dependents for WEAPN keycode: 1
Laundrette found in MONEY dependents: false
Laundrette found in WEAPN dependents: true

Recommended mitigation: Update the Laundrette::configureDependencies function.

function configureDependencies() external override onlyKernel returns (Keycode[] memory dependencies) {
dependencies = new Keycode[](2);
dependencies[0] = toKeycode("MONEY");
moneyShelf = MoneyShelf(getModuleAddress(toKeycode("MONEY")));
- dependencies[0] = toKeycode("WEAPN");
+ dependencies[1] = toKeycode("WEAPN");
weaponShelf = WeaponShelf(getModuleAddress(toKeycode("WEAPN")));
}
Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Laundrette incorrect dependencies

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.