Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy Vulnerability in callExternalContract Method

strongpeach398

Summary:

The callExternalContract function in the MembershipERC1155 contract is vulnerable to reentrancy attacks due to the unchecked use of call to interact with external contracts. This function is defined at the following line:

(bool success, bytes memory returndata) = contractAddress.call{value: msg.value}(data);

This line allows the contract to send Ether to an external address and execute arbitrary bytecode, which opens the contract up to reentrancy attacks if the external contract makes a call back into the vulnerable contract (such as calling sendProfit or manipulating state variables).

Vulnerability Details:

The vulnerability arises because the call method is being used to send Ether and execute arbitrary data on external contracts without protecting against reentrancy. The issue can be exploited if the external contract invoked by callExternalContract performs a recursive call back into the MembershipERC1155 contract.

Reentrancy occurs when an external contract calls back into the contract that initiated the call, potentially before the first call finishes executing. In this case, since there is no reentrancy guard or state check before or after calling external contracts, an attacker could re-enter the sendProfit function or manipulate the profit-distribution logic, which could lead to unintended state modifications or loss of funds.

Affected Code:

The vulnerable function is:

function callExternalContract(address contractAddress, bytes memory data) external payable onlyRole(OWP_FACTORY_ROLE) returns (bytes memory ) {
(bool success, bytes memory returndata) = contractAddress.call{value: msg.value}(data);
require(success, "External call failed");
return returndata;
}

In this function, the external contract is called using the low-level call, which is risky when interacting with untrusted contracts. Since the call is external and there’s no check or lock mechanism preventing further contract calls during its execution, a malicious contract could use reentrancy to exploit this vulnerability.

Specific Problem:

  • The use of call forwards all gas and allows arbitrary data execution.

  • There is no check for reentrancy, and no guard is placed to ensure the contract doesn't interact with external contracts multiple times in an unexpected manner.

  • The contract directly uses the msg.value without any verification or guard, making it possible for an attacker to re-enter the contract and potentially manipulate its state.

This exposes several risks, including but not limited to:

  • Bypassing profit distribution logic: Attackers could manipulate how profits are claimed by re-entering the claimProfit function or the sendProfit function recursively.

  • Funds theft: If the attacker controls the external contract, they can repeatedly trigger callExternalContract to withdraw or manipulate tokens, draining funds from the contract.

  • State manipulation: The attacker could potentially change the state of the contract before the lastProfit variable is updated, bypassing proper accounting for profits.

Impact:

The impact of this vulnerability is high, as it can lead to:

  • Draining Funds: An attacker could craft an external contract that triggers reentrancy to withdraw funds or profit multiple times within a single transaction. This could drain the contract's balance or profit pool.

  • Manipulation of Profit Distribution: The malicious contract could interfere with the profit-sharing mechanism, leading to incorrect profit allocations and enabling the attacker to disproportionately claim profits.

  • State Corruption: Since the attacker could control when profits are updated or when transfers occur, they could corrupt the contract’s internal state and cause it to distribute more profits than intended or in ways that were not intended by the contract logic.

Example of Exploit:

  1. The attacker deploys a malicious contract that calls callExternalContract on the vulnerable contract.

  2. The malicious contract, upon receiving funds from the callExternalContract, re-enters the vulnerable contract by calling claimProfit or other sensitive functions, potentially before the first execution of the transaction completes.

  3. This reentrancy allows the attacker to withdraw profits multiple times, bypassing normal checks and draining funds.

Tools Used:

  1. Slither: This static analysis tool detects common vulnerabilities such as reentrancy, but may miss vulnerabilities if the attack vector involves indirect external calls.

  2. MythX: A smart contract security analysis tool that can help identify reentrancy and other critical vulnerabilities, though it may require configuration to fully capture indirect attack vectors involving external calls.

  3. Manual Review: A careful review of the contract, particularly the callExternalContract function, revealed the reentrancy risk.

Recommendations:

1. Implement Reentrancy Guard:

A reentrancy guard should be implemented to prevent multiple calls to the same contract during the execution of the function. This can be done using a nonReentrant modifier to ensure that the contract cannot be called recursively. For example:

bool private locked;
modifier nonReentrant() {
require(!locked, "ReentrancyGuard: reentrant call");
locked = true;
_;
locked = false;
}
function callExternalContract(address contractAddress, bytes memory data) external payable onlyRole(OWP_FACTORY_ROLE) nonReentrant returns (bytes memory) {
(bool success, bytes memory returndata) = contractAddress.call{value: msg.value}(data);
require(success, "External call failed");
return returndata;
}

This modification prevents reentrancy by locking the contract during the execution of the function, ensuring that it cannot be entered again until the current call is completed.

2. Limit Gas and Use transfer Instead of call:

Where possible, replace the low-level call with safer methods like transfer or send for transferring Ether. These methods limit the amount of gas forwarded to the external contract, preventing untrusted contracts from performing complex actions or re-entering the contract. If interaction with an external contract is required, consider using delegatecall or specifying the exact function to execute to limit exposure.

3. Carefully Audit External Contracts:

Ensure that any contract that is called externally is thoroughly audited for security vulnerabilities, especially reentrancy risks. If the external contract is not controlled by a trusted party, consider placing limits on the amount of gas that can be forwarded or restrict access to only known safe addresses.

4. Use Safe Call Practices:

When interacting with external contracts, ensure that all calls are done in a safe manner, with careful handling of gas limits, return values, and error handling. Avoid passing user-provided data directly into external contracts without validation.

Conclusion:

The callExternalContract function in the MembershipERC1155 contract is susceptible to reentrancy attacks due to its unchecked use of the call method. An attacker can exploit this vulnerability to drain funds, manipulate the profit-sharing mechanism, or corrupt the contract’s internal state. Implementing a reentrancy guard, using safer call methods, and ensuring thorough audits of external contract interactions are critical to mitigating this risk.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.