Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Compromised Guardian Leading to Malicious Proxy Deployment in TadleFactory

juggernaut63

Summary

The `TadleFactory` contract allows a guardian address to deploy upgradeable proxy contracts. If the guardian address is compromised, an attacker can deploy a proxy pointing to a malicious logic contract, gaining control over the system.

Vulnerability Details

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L51-L71

Initial State: guardian is set to an address controlled by the attacker.

Attack:

  • Attacker deploys a contract to call deployUpgradeableProxy with malicious logic.

  • Impact: The attacker deploys a proxy pointing to a malicious logic contract, gaining control over the system.

// SPDX-License-Identifier: GPL-2.0-or-later
pragma solidity ^0.8.13;
import "forge-std/Test.sol";
import "../src/factory/TadleFactory.sol";
import "../src/proxy/UpgradeableProxy.sol";
import "../src/libraries/Address.sol";
contract ExploitSimulationTest is Test {
TadleFactory factory;
address guardian;
function setUp() public {
guardian = address(0x123);
factory = new TadleFactory(guardian);
}
function testCompromisedGuardian() public {
vm.startPrank(guardian);
address logic = address(new DummyImplementation());
bytes memory data = abi.encodeWithSignature("initialize()");
try factory.deployUpgradeableProxy(1, logic, data) {
emit log("Compromised guardian exploit succeeded");
assertTrue(true);
} catch {
emit log("Compromised guardian exploit failed");
assertTrue(false);
}
vm.stopPrank();
}
}
contract DummyImplementation {
function initialize() public {}
}

forge test --match-path test/ExploitSimulationTest.t.sol
[⠊] Compiling...
[⠑] Compiling 1 files with Solc 0.8.26
[⠘] Solc 0.8.26 finished in 1.56s
Compiler run successful!

Ran 1 test for test/ExploitSimulationTest.t.sol:ExploitSimulationTest
[PASS] testCompromisedGuardian() (gas: 720894)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 105.54ms (36.09ms CPU time)

Ran 1 test suite in 147.51ms (105.54ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

  • An attacker controlling the guardian address can deploy a proxy pointing to a malicious logic contract, gaining control over the system.

  • The attacker can perform unauthorized actions, such as transferring funds, modifying system configurations, or disrupting operations.

  • The integrity and security of the entire system are compromised, potentially leading to significant financial and reputational damage.

Tools Used

Manual review

Recommendations

  • Use a multisig wallet for the guardian address to distribute control and reduce the risk of a single point of failure.

  • Regularly rotate the guardian address and ensure it is controlled by trusted parties.

  • Implement additional access control mechanisms, such as role-based access control (RBAC), to limit the actions that the guardian can perform.

  • Introduce a time-lock mechanism for critical actions to provide a window for intervention in case of a compromised guardian.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.