Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unlimiting the delay period with minimum threshold allow the delay period to be set too low and allow a malicious ScheduleUpgrade message to be executed on the root contract and gain access on the other contracts. #298

Open
c4-submissions opened this issue Sep 14, 2023 · 3 comments
Open

unlimiting the delay period with minimum threshold allow the delay period to be set too low and allow a malicious ScheduleUpgrade message to be executed on the root contract and gain access on the other contracts. #298

c4-submissions opened this issue Sep 14, 2023 · 3 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a low quality report This report is of especially low quality primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/Root.sol#L43-L50
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/Root.sol#L16-L17

Vulnerability details

Impact

allowing to modify the delay period without minimum threshold can result in set the delay period to a too short period or even zero ,which is allowed according to the code , and this could lead to allowing a malicious ScheduleUpgrade message to pass and a malicious account can gain control over all the contracts of the protocols.

Proof of Concept

in the Root.sol contract , the protocol implements a maximum threshold in the function file() which can modify the delay variable , so the possibility of the set the delay period to a very long period exists and also setting the delay period to a very short period is still possible ,as shown in the file() which will not prevent set the delay period to zero or any short period :

    function file(bytes32 what, uint256 data) external auth {
        if (what == "delay") {
            require(data <= MAX_DELAY, "Root/delay-too-long");
            delay = data;
        } else {
            revert("Root/file-unrecognized-param");
        }
        emit File(what, data);

so if the delay was set to a very short period and Someone gains control over a router and triggers a malicious ScheduleUpgrade message , the malicious attacker can trigger the executeScheduledRely() function after the delay period , which is too short , to give his address or any contract an auth role on any of the protocol contracts , the attacker can be auth on the escrow contract and steals all the funds from the protocol .

this attack does not assume that the auth admin on the Root contract is malicious , but it is all about the possibility of setting the delay period to a very short period or even zero , which can be happened mistakenly or intentionally .

Tools Used

manual review

Recommended Mitigation Steps

this vulnerability can be mitigated by implementing a minimum threshold MIN_DELAY to the delay period , so this will prevent setting the delay period to zero or even a very short period .

+    uint256 private MIN_DELAY = 2 days ;

    function file(bytes32 what, uint256 data) external auth {
        if (what == "delay") {
            require(data <= MAX_DELAY, "Root/delay-too-long");
+           require(data >= MIN_DELAY, "Root/delay-too-short");

            delay = data;
        } else {
            revert("Root/file-unrecognized-param");
        }
        emit File(what, data);

Assessed type

Invalid Validation
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Sep 14, 2023
c4-submissions added a commit that referenced this issue Sep 14, 2023
@c4-submissions
castle_chain issue #298
aff6ad4
@c4-pre-sort
Copy link

raymondfam marked the issue as low quality report

@c4-pre-sort c4-pre-sort added the low quality report This report is of especially low quality label Sep 15, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Sep 15, 2023
This was referenced Sep 15, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@c4-judge
Copy link

gzeon-c4 changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Sep 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a low quality report This report is of especially low quality primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @c4-pre-sort @C4-Staff @c4-submissions