-
Notifications
You must be signed in to change notification settings - Fork 11.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERC827: abuse of CUSTOM_CALL will cause unexpected result #1044
Comments
Thank you for the analysis @p0n1. I agree with your assessment. We will remove this token. Unfortunately at the time this was merged we didn't have a clear policy on how to treat early ERC drafts. Since then, we have blocked a couple of ERC implementations that were way too early in the process to have received meaningful feedback, and created a |
Yes! Add ERC draft implementation to |
@p0n1 @frangio I agree on moving the ERC827 implementation to proposals folder and continue working on this issues there, I would love to find a way to fix this issues here or on the ERC827 eip issue. |
I created a gitter channel to discuss about ERC827 standard, implementations and governance of the standard. https://gitter.im/ERC827/Lobby I also created a public calendar on google calendar for ERC827 community calls, maybe to happen once every two weeks, where anyone in the community can join. The first call will be 5 of june at 5pm GMT +2. Link to the ERC827 calendar: https://calendar.google.com/calendar?cid=bjg3bDdvcXVmMTQybmY4MGxlMGtoM3J2cThAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ |
FYI, I have posted to the Magicians Forum in order to get more visibility on this issue by the contract security working group. |
And msg.sender of the called function is the contract itself. Why it was in openzeppelin official release? 🤦♂️ |
🎉 Description
Dangerous ERC827 implementation about
anythingAndCall
.https://github.com/OpenZeppelin/openzeppelin-solidity/blob/f18c3bc438b366f9cb3a8613f5be160c2cbced5e/contracts/token/ERC827/ERC827Token.sol#L46
Users are allowed to pass arbitrary data, leading to call any function with any data on any contract address.
💻 Environment
Any contract using this ERC827 implementation or with similar CUSTOM_CALL feature will be affected.
📝 Details
It is a really bad practice to allow the abuse of CUSTOM_CALL in token standard.
Attackers could call any contract in the name of vulnerable contract with CUSTOM_CALL.
This vulnerability will make these attacking scenarios possible:
Attackers could steal almost each kind of tokens belong to the vulnerable contract [1] [2]
Attackers could steal almost each kind of tokens
approved
to the vulnerable contractAttackers could bypass the auth check in vulnerable contract by proxy of contract itself in special situation [3] (edit: current openzeppelin implementation is not affected with the help of
require(_to != address(this));
)Attackers could pass fake values as parameter to cheat with receiver contract [4]
We (SECBIT) think that the ERC827 proposal should be discussed further in community before OpenZeppelin putting the implementation in the repo. Many developers could use this code without knowledge of hidden danger.
[1] attack 1, https://etherscan.io/tx/0xb72dcc4d04381ccad416b960e95183e94ee13e942743da913cf139c8abe212e7
[2] attack 2, https://etherscan.io/tx/0x40a292d74bddaac2690385aee0c366edf31904ef681b547b1baa3190ba568888
[3] custom_call related bug, https://medium.com/@atnio/erc223-smart-contract-breach-and-resolution-vulnerability-relating-to-the-concurrent-9a402495f382
[4] pass fake values to receiver contract, ethereum/EIPs#827 (comment)
The text was updated successfully, but these errors were encountered: