Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

No Calldata Length Check in _msgSender Function

aresaudits

Summary

use openzeppelin context::msgSender function to get the address which reverts if the length of calldata is less than
20 bytes (an address length).

Vulnerability Details

The _msgSender function in the OWPIdentity.sol contract does not verify the length of msg.data before attempting to extract the original sender's address.

function _msgSender()
internal
view
override
returns (address sender)
{
if (msg.sender == address(this)) {
bytes memory array = msg.data;
uint256 index = msg.data.length;
assembly {
// Load the 32 bytes word from memory with the address on the lower 20 bytes, and mask those.
sender := and(
mload(add(array, index)),
0xffffffffffffffffffffffffffffffffffffffff
)
}
} else {
sender = msg.sender;
}
return sender;
}

  • The function assumes that the last 20 bytes of msg.data contain the original sender's address.

  • It does not check if msg.data is long enough to safely extract these 20 bytes.

Impact

unexpected behaviour

Tools Used

manual review

Recommendations

use openzepplin context contract to get the msgSender : https://github.com/OpenZeppelin/openzeppelin-contracts/blob/448efeea6640bbbc09373f03fbc9c88e280147ba/contracts/metatx/ERC2771Context.sol#L65C4-L78C6

here the function checks the `the calldata length is not less than
20 bytes (an address length).`

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
0xbrivan2 Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.