Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Manipulatable delegatecall in Batch.sol

nomadic_bear

Summary

The batch() function allows manipulation of calldata in delegatecall operations, enabling potential malicious function calls within the contract's context.

Vulnerability Details

Location: src/abstracts/Batch.sol:15-23

function batch(bytes[] calldata calls) external {
uint256 count = calls.length;
for (uint256 i = 0; i < count; ++i) {
(bool success, bytes memory result) = address(this).delegatecall(calls[i]);
if (!success) {
revert Errors.BatchError(result);
}
}
}

The vulnerability allows attackers to:

  • Provide maliciously crafted calldata to execute arbitrary functions

  • Access privileged functionality through delegatecall execution

  • Manipulate contract state within allowed function scopes

Impact

Severity: Medium

Potential execution of unintended functions via crafted calldata

Limited to functions already present in contract

Risk mitigated by delegatecall scope restrictions

Tools Used

Slither .

pess-arbitrary-call-calldata-tainted

Impact: Medium
Confidence: Medium

src/abstracts/Batch.sol#L19-L20

Manual review

Recommendations

1.Implement function selector validation:

mapping(bytes4 => bool) public allowedFunctions;
function batch(bytes[] calldata calls) external {
for(uint i = 0; i < calls.length; i++) {
bytes4 selector = bytes4(calls[i][:4]);
require(allowedFunctions[selector], "Function not allowed");
(bool success, bytes memory result) = address(this).delegatecall(calls[i]);
require(success, "Call failed");
}
}

2.Add access controls to restrict batch execution

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.