Biconomy: Nexus
Biconomy
HardhatFoundry
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Function selector collision can lead to unexpected action

ke1cam

Summary

Function selector collision is a situation where two functions have the same function selector. In this situation where user set's up a falback handler for a one function an attacker could trigger it if he found the function with the same selector.

Vulnerability Details

https://github.com/Cyfrin/2024-07-biconomy/blob/9590f25cd63f7ad2c54feb618036984774f3879d/contracts/base/ModuleManager.sol#L73

Fallback handler is set up to handle the certain functions. It is set up based on msg.sig. However there is a scenario where two functions have the same function selector. It will lead to triggering the fallback handler code for the wrong function which can lead to unexpected results.

fallback() external payable override(Receiver) receiverFallback {
FallbackHandler storage $fallbackHandler = _getAccountStorage().fallbacks[msg.sig];
address handler = $fallbackHandler.handler;
CallType calltype = $fallbackHandler.calltype;
require(handler != address(0), MissingFallbackHandler(msg.sig));
if (calltype == CALLTYPE_STATIC) {
assembly {
calldatacopy(0, 0, calldatasize())
// The msg.sender address is shifted to the left by 12 bytes to remove the padding
// Then the address without padding is stored right after the calldata
mstore(calldatasize(), shl(96, caller()))
if iszero(staticcall(gas(), handler, 0, add(calldatasize(), 20), 0, 0)) {
returndatacopy(0, 0, returndatasize())
revert(0, returndatasize())
}
returndatacopy(0, 0, returndatasize())
return(0, returndatasize())
}
}
if (calltype == CALLTYPE_SINGLE) {
assembly {
calldatacopy(0, 0, calldatasize())
// The msg.sender address is shifted to the left by 12 bytes to remove the padding
// Then the address without padding is stored right after the calldata
mstore(calldatasize(), shl(96, caller()))
if iszero(call(gas(), handler, 0, 0, add(calldatasize(), 20), 0, 0)) {
returndatacopy(0, 0, returndatasize())
revert(0, returndatasize())
}
returndatacopy(0, 0, returndatasize())
return(0, returndatasize())
}
}
}

There is an example of two different functions with the same function selector (0x42966c68).

function collate_propagate_storage(bytes16 x) external {}
function burn(uint256 amount) external {}

If the inputs of these functions were ignored and action was based on triggering the function an attacker could use different function to trigger fallback handler code.

Impact

Function handler code can be executed for the wrong function. Depending on function handler implementation this can affect account security or lead to an exploit.

Mitigation

To solve this problem the protocol could create a whitelist with addresses that can trigger the fallback handler. This will reduce the likelihood of an exploit with function selector.

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-fallback-handler-selector-clash

This is a very clever exploit, however, would be dependent on - The user installing the malicious fallback handler. - Additionally, it is highly contraint because it would require the input parameters (`to` and `amount`) of `withdrawDepositTo()` that is also considered when determining the function signature to coincide with the same input parameters of the malicious functionality of the fallback handler Issues #185 and #190 are pointing to similar function clashing root causes so duplicating, but does lack a similar detailed explanation of exploit path.

Appeal created

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

finding-fallback-handler-selector-clash

This is a very clever exploit, however, would be dependent on - The user installing the malicious fallback handler. - Additionally, it is highly contraint because it would require the input parameters (`to` and `amount`) of `withdrawDepositTo()` that is also considered when determining the function signature to coincide with the same input parameters of the malicious functionality of the fallback handler Issues #185 and #190 are pointing to similar function clashing root causes so duplicating, but does lack a similar detailed explanation of exploit path.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.