Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

[M-12] Missing Event Signature Verification in checkLog Function

jakefromstatefarm

Summary

The checkLog function in UsdTokenSwapKeeper does not confirm that log.topics[0] matches the genuine event signature. This omission allows an attacker to create deceptive logs that trigger unwanted or premature Chainlink upkeep processes.

Vulnerability Details

The checkLog function processes logs to determine if certain actions, such as upkeep or swap requests, need to be performed. It relies on logs emitted by other contracts, which contain topics including the event signature and other relevant data.

However, the function does not verify that log.topics[0] matches the expected event signature. This lack of verification breaks the security guarantee that only intended events trigger contract actions. An attacker can emit logs with arbitrary data, including a valid-looking topics[1] and topics[2], but with an incorrect topics[0]. Without verification, the function processes these logs, leading to unintended behavior.

Impact

The impact of this vulnerability is significant because it allows for false triggers and operational disruption. Processing invalid logs can lead to incorrect actions being taken, such as executing swaps with incorrect parameters or failing to execute necessary upkeep. This undermines the reliability and integrity of the contract's operations.

Likelihood Explanation

The likelihood of this vulnerability being exploited is moderate. While it requires an attacker to craft specific logs, the absence of event signature verification makes it feasible for an attacker to disrupt contract operations. The reliance on logs for automation increases the risk of this issue being exploited.

POC

Attacker creates a log with log.topics[1] = legitimate caller address and log.topics[2] = valid requestId, but log.topics[0] set to a bogus event signature.

Contract receives the log in checkLog without signature verification.
Contract calls getSwapRequest for the user/requestId combination, then attempts to handle or revert based on a fabricated scenario, wasting gas or causing incorrect swap checks.

function checkLog(

AutomationLog calldata log,

bytes memory

)

external

view

returns (bool upkeepNeeded, bytes memory performData)

{

// According to Chainlink docs, log.topics[0] should contain the event signature.

// ISSUE: This code never verifies that log.topics[0] is the correct, expected event signature,

// allowing an attacker to forge logs with a bogus signature.

// Only topics[1] (caller) and topics[2] (requestId) are checked.

address caller = bytes32ToAddress(log.topics[1]);

uint128 requestId = uint128(uint256(log.topics[2]));

UsdTokenSwapKeeperStorage storage self = _getUsdTokenSwapKeeperStorage();

UsdTokenSwapConfig.SwapRequest memory request =

IMarketMakingEngine(self.marketMakingEngine).getSwapRequest(caller, requestId);

if (request.deadline < block.timestamp) {

return (false, new bytes(0));

}

if (request.assetOut != self.asset) {

return (false, new bytes(0));

}

string[] memory streams = new string[](1);

streams[0] = self.streamId;

bytes memory extraData = abi.encode(caller, requestId);

// The function reverts to trigger Chainlink Streams Lookup with the collected data

revert StreamsLookup(DATA_STREAMS_FEED_LABEL, streams, DATA_STREAMS_QUERY_LABEL, block.timestamp, extraData);

}

Recommendations

Implement a verification check on log.topics[0] to ensure it matches the intended event signature:

bytes32 expectedSignature = keccak256("SwapRequested(address,uint128,...)");

require(log.topics[0] == expectedSignature, "Invalid event signature");

This enforces on-chain validation that the log corresponds to the authentic event, eliminating the risk of forged or misleading logs triggering undesired keeper behavior.

Updates

Lead Judging Commences

inallhonesty Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.