QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Insufficient Validation of Token Symbol in LPNFT.sol

golomp3761

Summary

The Name variable in the LPNFT.sol contract are unfiltered, allowing for malicious code injection. Without character limits, this vulnerability can lead to XSS or HTML injection attacks, enabling attackers to manipulate information in the Web3 application.

Vulnerability Details

The Name variable in the LPNFT.sol contract are not filtered in any way, allowing an attacker to create a token with malicious JavaScript or HTML code injected into these fields. This field is also not limited by character count, enabling the injection of a large amount of code. If no mitigation mechanisms are implemented in the web application for malicious code from these variables, the application will be vulnerable to XSS or HTML injection attacks if the value of this variable are displayed in the web application.

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-hooks/contracts/hooks-quantamm/LPNFT.sol#L29

Impact

If an attacker creates an asset with a symbol containing the malicious javascript payload, he could get a stored XSS on this website that render his malicious NFT name and symbol, which is legitimately generated by this dapp, according to correspondence with the sponsor, there is a possibility of transferring the created NFT to other applications like NFT exchanges, which creates an additional XSS risk on the mentioned dApps. This could allow the attacker for example, to run a keylogger script to collect all inputs typed by a user including his password or to create a fake Metamask pop up asking a user to sign a malicious transaction.

Tools Used

Manual review.

Recommendations

It's absolutely necessary to sanitize the user's input. The asset symbol should only contain Aa-Zz and 0-9 characters while forbidding special ones, i.e. < / >. The length of possible characters should also be significantly limited. The principle of security in depth should be applied, securing each possible injection point in the best possible way.

require(bytes(symbol_).length <= 10, "NFT: symbol too long");

bytes memory symbolBytes = bytes(symbol_);

for(uint i = 0; i < symbolBytes.length; i++) {

bytes1 char = symbolBytes[i];

require(

char != bytes1('<') &&

char != bytes1('>') &&

char != bytes1('{') &&

char != bytes1('}'),

"NFT: invalid symbol character"

);

}```

https://solodit.cyfrin.io/issues/insufficient-input-validation-on-sablierv2nftdescriptorsafeassetsymbol-allows-an-attacker-to-obtain-stored-xss-codehawks-sablier-git

https://codehawks.cyfrin.io/c/2024-10-swan-dria/results?lt=contest&sc=reward&sj=reward&page=1&t=report

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!