Submission Details
Severity:
External Call Safety
Summary
contractInteractions() allows arbitrary contract calls. Consider whitelisting trusted protocols.
Vulnerability Details
contractInteractions() Allows Unrestricted External Calls
Impact
This function allows arbitrary external calls without whitelisting, enabling potential exploits.
Tools Used
function contractInteractions(address _target, bytes calldata _payload, uint256 _value, bool _storeTarget)
external nonReentrant onlyOwner
{
(bool success, bytes memory data) = _target.call{value: _value}(_payload); // ❌ Potential exploit vector
require(success, "interaction failed");
if (_storeTarget) {
interactions[_target] = data;
}
}
Recommendations
Restrict arbitrary external calls for security. Implement whitelisted contracts for interactions.
mapping(address => bool) private approvedContracts;
modifier onlyWhitelistedContract(address _target) {
require(approvedContracts[_target], "Contract not whitelisted");
_;
}
function contractInteractions(address _target, bytes calldata _payload, uint256 _value, bool _storeTarget)
external nonReentrant onlyOwner onlyWhitelistedContract(_target)
{
(bool success, bytes memory data) = _target.call{value: _value}(_payload);
require(success, "interaction failed");
if (_storeTarget) {
interactions[_target] = data;
}
}
function addApprovedContract(address _contract) external onlyOwner {
approvedContracts[_contract] = true;
}
function removeApprovedContract(address _contract) external onlyOwner {
approvedContracts[_contract] = false;
}
Rewards breakdown
nSLOC
211This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.