Attackathon _ Fuel Network 32314 - [Smart Contract - Insight] Missing _disableInitializers in FuelER
Submitted on Tue Jun 18 2024 06:05:13 GMT-0400 (Atlantic Standard Time) by @shanb1605 for Attackathon | Fuel Network
Report ID: #32314
Report type: Smart Contract
Report severity: Insight
Target: https://github.com/FuelLabs/fuel-bridge/tree/623dc288c332b9d55f59b1d3f5e04909e2b4435d/packages/solidity-contracts
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
Description
Brief/Intro
The FuelERC20GatewayV4 contract is a UUPS upgradeable contract. It's missing _disableInitializers inside constructor to stop initializing the implementation contract.
Vulnerability Details
Since there is missing _disableInitializers inside constructor. Anyone could initialize the implementation of FuelERC20GatewayV4 contract.
https://github.com/FuelLabs/fuel-bridge/blob/623dc288c332b9d55f59b1d3f5e04909e2b4435d/packages/solidity-contracts/contracts/messaging/gateway/FuelERC20Gateway/FuelERC20GatewayV4.sol
Impact Details
Openzeppelin advises initializing the UUPS contract implementation, but FuelERC20GatewayV4 doesn't initialize it under constructor. This leaves anyone to initialize the implementation contract.
References
https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301
Mitigation
Consider adding this snippet to FuelERC20GatewayV4.sol
Proof of concept
Proof of Concept
The POC is tested through tenderly local simulation that proves anyone can initialize the impl contract.
Go to Tenderly simulator: https://dashboard.tenderly.co/project/simulator/
Click on
New SimulationInsert the impl address on sepolia
0xf6024ccbfbb2201c3d43c0c2bbd162d65d4a07c4Choose Network as
SepoliaNow choose
Enter raw input dataand fill 0xc4d66de80000000000000000000000005a36ec816a51d76542cf45f7f7c24ced5b1671e900000000000000000000000000000000000000000000000000000000Click on
Simulate Transaction
The above input data is call data encoding of initialize(address)
Last updated