ArkProject: NFT Bridge

Summary

There is a possibility that the control of the contract may be hijacked by malicious users due to preemptive initialization.

Vulnerability Details

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/ethereum/src/Bridge.sol#L44

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/ethereum/src/UUPSProxied.sol#L20

In the UUPSOwnableProxied contract, the initialize method is only restricted to being called once by the onlyInit modifier, but there is no further access control. If deployed, a malicious user is able to call initialize before the legitimate owner initializes, and can transfer the ownership of the contract to a malicious address. In addition, since the initialize method does not verify the caller, this allows an attacker to perform initialization before the contract owner calls it, thus completely controlling the contract.

• The onlyInit modifier only checks if it has been initialized, but does not restrict who can call the initialize method.

• A malicious user can call initialize before the legitimate owner and hijack the contract ownership.

Impact

• Contract control hijacked: A malicious user can call initialize before the owner, thereby seizing ownership and control of the contract.

• Property loss: Once a contract is hijacked, the attacker can perform arbitrary operations, including transferring assets in the contract, resulting in property loss.

• Compromised system integrity: The owner and control of the contract are illegally tampered with, which may threaten the integrity of the entire system.

Tools Used

VScode

Recommendations

• Restrict access to initialize: Add an access control check, such as the onlyOwner modifier, to ensure that only the owner of the contract can call the initialize method.

• Use access control proxy: Before contract initialization, use the proxy pattern to restrict access to initialize to ensure that initialization can only be done by trusted addresses.