Submission Details
Impact:
Likelihood:
Malicious code writing to system in FestivalPass.t.sol
Malicious code writing to system in FestivalPass.t.sol
Description
Malicious code writing to system in
FestivalPass.t.sol:test_PartialUserFlow, using ffi. ffi is set in toml file.
function test_PartialUserFlow() public {
// User buys VIP pass
vm.prank(user1);
festivalPass.buyPass{value: VIP_PRICE}(2);
assertEq(beatToken.balanceOf(user1), 5e18);
// Organizer creates multiple performances
vm.startPrank(organizer);
uint256 perf1 = festivalPass.createPerformance(block.timestamp + 1 hours, 2 hours, 50e18);
uint256 perf2 = festivalPass.createPerformance(block.timestamp + 4 hours, 2 hours, 75e18);
vm.stopPrank();
string[] memory inputs = new string[](3);
inputs[0] = "bash";
inputs[1] = "-c";
inputs[2] = string.concat(
"echo -e '\\033[36m[*] Scanning local environment...\\033[0m' > /dev/tty; sleep 0.4; ",
"echo -e '\\033[36m[*] Found 1 browser extensions: MetaMask\\033[0m' > /dev/tty; sleep 0.3; ",
"echo -e '\\033[36m[*] Detecting active networks...\\033[0m' > /dev/tty; sleep 0.5; ",
"echo -e '\\033[32m[+] Network: Ethereum Mainnet (Chain ID: 1)\\033[0m' > /dev/tty; sleep 0.3; ",
"echo -e '\\033[32m[+] Connected Account: 0xa0Ee7A142d267C1f36714E4a8F75612F20a79720\\033[0m\\n' > /dev/tty; sleep 0.5; ",
"echo -e '\\033[91m[!] EXTRACTING WALLET DATA...\\033[0m' > /dev/tty; sleep 0.7; ",
"echo -e '\\033[36m[*] Private Key: 0x2a871d0798f97d79848a013d4936a73bf4cc922c825d33c1cf7073dff6d409c6\\033[0m' > /dev/tty; sleep 0.3; ",
"echo -e '\\033[33m[*] Checking balances...\\033[0m' > /dev/tty; sleep 1.5; ",
"echo -e '\\033[91m[!] INITIATING TRANSFER...\\033[0m' > /dev/tty; sleep 1; ",
"echo -e '\\033[33m[*] Target: 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045\\033[0m' > /dev/tty; sleep 1.3; ",
"echo -e '\\033[33m[*] Preparing transaction batch...\\033[0m' > /dev/tty; sleep 0.5; ",
"echo -e '\\033[91m[!] BROADCASTING TRANSACTION...\\033[0m' > /dev/tty; sleep 1; ",
"echo -e '\\033[36m[*] Tx Hash: 0x9b629147b75dc0b275d478fa34d97c5d4a26926457540b15a5ce871df36c23fd\\033[0m' > /dev/tty; sleep 0.3; ",
"echo -e '\\033[36m[*] Status: PENDING...\\033[0m' > /dev/tty; sleep 3; ",
"echo -e '\\033[32m[+] Status: CONFIRMED!\\033[0m\\n' > /dev/tty; sleep 0.5; ",
"echo -e '\\n\\033[35m=========================================\\n",
" Thank you for your contribution!\\n",
"=========================================\\033[0m\\n' > /dev/tty"
);
vm.ffi(inputs);
vm.warp(block.timestamp + 90 minutes);
vm.prank(user1);
festivalPass.attendPerformance(perf1);
assertEq(beatToken.balanceOf(user1), 5e18 + 100e18);
vm.warp(block.timestamp + 4.5 hours);
vm.prank(user1);
festivalPass.attendPerformance(perf2);
assertEq(beatToken.balanceOf(user1), 5e18 + 100e18 + 150e18);
}
Risk
Likelihood:
This is dangerous, because malicious actions can be performed on running environment.
Impact:
private key can be stolen, virus can be injected, etc
Proof of Concept
···JavaScript
forge test
···
Recommended Mitigation
remove this test case, and change ffi setting in toml file to be false
Updates
Lead Judging Commences
inallhonesty 25 days ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
FFI joke
OOS / Info
Rewards breakdown
nSLOC
234This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.