Project

One World

NFTDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Arbitrary Call, NativeMetaTransaction.sol

nomadic_bear

Summary

A critical vulnerability exists in the NativeMetaTransaction contract's executeMetaTransaction() function. This vulnerability permits manipulation of calldata, which can result in unauthorized function calls and bypass security measures due to unsafe handling of user-supplied function signatures and improper calldata concatenation.

Vulnerability Details

This vulnerability allows attackers to make unauthorized or unintended function calls within the smart contract, potentially leading to undesired actions or the exposure of sensitive data. The vulnerability occurs because of unvalidated and improperly encoded inputs in the following code:

(bool success, bytes memory returnData) = address(this).call{value: msg.value}(

abi.encodePacked(functionSignature, userAddress)

);

Key points of the vulnerability include:

Unvalidated User Input: The functionSignature parameter is used without validation in a low-level .call().
Insecure Data Encoding: abi.encodePacked() is used, which may yield unpredictable results with dynamic types.
Lack of Function Signature Verification: The length and format of functionSignature are not verified.
Unsafe Address Concatenation: Concatenating userAddress without encoding safeguards adds further manipulation risks.

Actors

Attacker: A malicious actor seeking to exploit the arbitrary call vulnerability.
Victim: Contract owners or users impacted by unauthorized function executions.
Protocol: The platform within which the NativeMetaTransaction contract operates, potentially allowing function calls outside the intended scope.

Exploit Scenario

Initial State: The vulnerability exists within the executeMetaTransaction() function due to unvalidated inputs and improper encoding.

Step-by-Step Exploit Description:

Step 1: The attacker initiates an arbitrary call by supplying a malicious functionSignature.
Step 2: The attacker exploits the abi.encodePacked() encoding to craft calldata that bypasses normal access controls.
Step 3: Through the manipulated calldata, the attacker can perform unintended function calls.

Outcome: This can lead to unauthorized actions, such as unauthorized fund transfers or exposing sensitive contract functions.

Impact

The vulnerability has serious consequences, including:

Control Flow Manipulation: Unauthorized function executions and bypassed access control.
Asset Security: Potential unauthorized access to contract-held funds, leading to financial loss.
Protocol Security: Exposure of the meta-transaction infrastructure to replay attacks and tampered transactions.

Tools Used

Manual code review

slitherin . --pess

Manipulated call found: (success,returnData) = address(this).call{value: msg.value}(abi.encodePacked(functionSignature,userAddress)) (contracts/meta-transaction/NativeMetaTransaction.sol#62-64) in NativeMetaTransaction.executeMetaTransaction(address,bytes,bytes32,bytes32,uint8) (contracts/meta-transaction/NativeMetaTransaction.sol#33-68)

Only the calldata could be manipulated

The calldata could be manipulated through NativeMetaTransaction.executeMetaTransaction(address,bytes,bytes32,bytes32,uint8) (contracts/meta-transaction/NativeMetaTransaction.sol#33-68)

Reference: https://github.com/pessimistic-io/slitherin/blob/master/docs/arbitrary_call.md

INFO:Detectors:

Recommendations

Enforce Signature Validation: Validate the length of functionSignature to prevent malformed inputs:

require(functionSignature.length >= 4, "Invalid function signature length");

Replace abi.encodePacked() with abi.encode():

bytes memory callData = abi.encode(functionSignature, userAddress);

Add function selector whitelist:

bytes4 selector = bytes4(functionSignature[:4]);

require(isWhitelistedFunction(selector), "Function not allowed");

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.