Active Boosts

Attackathon _ Fuel Network 32314 - [Smart Contract - Insight] Missing _disableInitializers in FuelER

Submitted on Tue Jun 18 2024 06:05:13 GMT-0400 (Atlantic Standard Time) by @shanb1605 for Attackathon | Fuel Network

Report ID: #32314

Report type: Smart Contract

Report severity: Insight

Target: https://github.com/FuelLabs/fuel-bridge/tree/623dc288c332b9d55f59b1d3f5e04909e2b4435d/packages/solidity-contracts

Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

The FuelERC20GatewayV4 contract is a UUPS upgradeable contract. It's missing _disableInitializers inside constructor to stop initializing the implementation contract.

Vulnerability Details

Since there is missing _disableInitializers inside constructor. Anyone could initialize the implementation of FuelERC20GatewayV4 contract.

https://github.com/FuelLabs/fuel-bridge/blob/623dc288c332b9d55f59b1d3f5e04909e2b4435d/packages/solidity-contracts/contracts/messaging/gateway/FuelERC20Gateway/FuelERC20GatewayV4.sol

Impact Details

Openzeppelin advises initializing the UUPS contract implementation, but FuelERC20GatewayV4 doesn't initialize it under constructor. This leaves anyone to initialize the implementation contract.

References

https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301

Mitigation

Consider adding this snippet to FuelERC20GatewayV4.sol

constructor() {
    _disableInitializers()
}

Proof of concept

Proof of Concept

The POC is tested through tenderly local simulation that proves anyone can initialize the impl contract.

  1. Go to Tenderly simulator: https://dashboard.tenderly.co/project/simulator/

  2. Click on New Simulation

  3. Insert the impl address on sepolia 0xf6024ccbfbb2201c3d43c0c2bbd162d65d4a07c4

  4. Choose Network as Sepolia

  5. Now choose Enter raw input data and fill 0xc4d66de80000000000000000000000005a36ec816a51d76542cf45f7f7c24ced5b1671e900000000000000000000000000000000000000000000000000000000

  6. Click on Simulate Transaction

The above input data is call data encoding of initialize(address)

PreviousAttackathon _ Fuel Network 32302 - [Smart Contract - Low] Src ContractConfigurables hash collisionNextAttackathon _ Fuel Network 32327 - [Websites and Applications - Low] REVISED Malicious Downtime via

Last updated

Was this helpful?