Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Excessive Permissions in `callExternalContract` Function

m3dython

Root Cause:
The callExternalContract function in both MembershipERC1155 and MembershipFactory contracts allows execution of arbitrary external calls by accounts with specific roles.

function callExternalContract(address contractAddress, bytes memory data) external payable onlyRole(OWP_FACTORY_ROLE) returns (bytes memory ) {
(bool success, bytes memory returndata) = contractAddress.call{value: msg.value}(data);
require(success, "External call failed");
return returndata;
}

Impact:

  • Security Risk: If the OWP_FACTORY_ROLE or EXTERNAL_CALLER roles are compromised or misassigned, an attacker can execute arbitrary code, potentially leading to fund theft or contract manipulation.

  • Maintenance Risk: Overly broad permissions make the system more fragile and harder to secure.

Recommendation:

  • Limit the callExternalContract functionality to only necessary calls.

  • Implement strict access controls and ensure roles are securely managed.

  • Consider removing or heavily restricting this function to prevent misuse.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!