Submission Details
Severity:
Critical Security Fixes
Summary
Arbitrary external calls without whitelisting
Vulnerability Details
Issue : contractInteractions() Allows Unrestricted External Calls
Impact
This function allows arbitrary external calls without whitelisting, enabling potential exploits.
Tools Used
function contractInteractions(address _target, bytes calldata _payload, uint256 _value, bool _storeTarget)
external nonReentrant onlyOwner
{
(bool success, bytes memory data) = _target.call{value: _value}(_payload); // ❌ Potential exploit vector
require(success, "interaction failed");
if (_storeTarget) {
interactions[_target] = data;
}
}
Recommendations
Implement whitelisted contracts for interactions:
mapping(address => bool) private approvedContracts;
modifier onlyWhitelistedContract(address _target) {
require(approvedContracts[_target], "Contract not whitelisted");
_;
}
function contractInteractions(address _target, bytes calldata _payload, uint256 _value, bool _storeTarget)
external nonReentrant onlyOwner onlyWhitelistedContract(_target)
{
(bool success, bytes memory data) = _target.call{value: _value}(_payload);
require(success, "interaction failed");
if (_storeTarget) {
interactions[_target] = data;
}
}
function addApprovedContract(address _contract) external onlyOwner {
approvedContracts[_contract] = true;
}
function removeApprovedContract(address _contract) external onlyOwner {
approvedContracts[_contract] = false;
}
Rewards breakdown
nSLOC
211This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.