HardhatFoundry
30,000 USDC
View results
Submission Details
Severity: high
Invalid

Potential Exploit via Batch Execution to Bypass Access Control

Summary

A malicious user can exploit the batch execution mode in the execute function to bypass access control and perform unauthorized actions, such as upgrading the contract to a malicious implementation.

Vulnerability Details

  • Function: execute

  • Location: Nexus contract

  • Issue: The execute function processes batch transactions without sufficiently isolating or validating each transaction's intent. A malicious user can include a call to upgradeToAndCall within a batch, bypassing the onlyEntryPointOrSelf modifier and changing the contract's implementation to a malicious contract.

Scenario:

  1. Access via Entry Point: The malicious user gains access through the entry point.

  2. Craft Malicious Operation: The user operation includes a batch of transactions, one of which calls upgradeToAndCall.

  3. Submit and Validate: The entry point validates and submits the operation.

  4. Batch Execution: The execute function processes the batch, including the unauthorized call to upgradeToAndCall.

  5. Implementation Change: The contract's implementation is changed to a malicious one.

  6. Control: The malicious user gains control over the contract via the new implementation.

  7. Unauthorized Actions: The malicious implementation can perform unauthorized actions, such as transferring funds, modifying state, or installing further malicious modules.

Impact

  • Security Breach: The malicious implementation can perform unauthorized actions, such as draining funds, modifying state, or installing further malicious modules.

  • Loss of Trust: Users may lose trust in the contract due to potential security vulnerabilities.

  • Compliance Issues: Violates the intended security model and access control mechanisms.

Tools Used

  • Manual Code Review: Analyzed the execute function to identify potential bypasses of access control.

  • Scenario Simulation: Simulated the batch execution scenario to confirm the exploit.

Recommendations

Isolate Critical Functions:

  • Ensure that critical functions like upgradeToAndCall cannot be called within a batch execution context.

  • Implement additional checks to prevent unauthorized calls to critical functions.

Updates

Lead Judging Commences

0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.