search
Active Boosts

Attackathon _ Fuel Network 32314 - [Smart Contract - Insight] Missing _disableInitializers in FuelER

Submitted on Tue Jun 18 2024 06:05:13 GMT-0400 (Atlantic Standard Time) by @shanb1605 for Attackathon | Fuel Networkarrow-up-right

Report ID: #32314

Report type: Smart Contract

Report severity: Insight

Target: https://github.com/FuelLabs/fuel-bridge/tree/623dc288c332b9d55f59b1d3f5e04909e2b4435d/packages/solidity-contracts

Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Brief/Intro

The FuelERC20GatewayV4 contract is a UUPS upgradeable contract. It's missing _disableInitializers inside constructor to stop initializing the implementation contract.

hashtag
Vulnerability Details

Since there is missing _disableInitializers inside constructor. Anyone could initialize the implementation of FuelERC20GatewayV4 contract.

https://github.com/FuelLabs/fuel-bridge/blob/623dc288c332b9d55f59b1d3f5e04909e2b4435d/packages/solidity-contracts/contracts/messaging/gateway/FuelERC20Gateway/FuelERC20GatewayV4.sol

hashtag
Impact Details

Openzeppelin advises initializing the UUPS contract implementation, but FuelERC20GatewayV4 doesn't initialize it under constructor. This leaves anyone to initialize the implementation contract.

hashtag
References

https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301

hashtag
Mitigation

Consider adding this snippet to FuelERC20GatewayV4.sol

hashtag
Proof of concept

hashtag
Proof of Concept

The POC is tested through tenderly local simulation that proves anyone can initialize the impl contract.

  1. Go to Tenderly simulator: https://dashboard.tenderly.co/project/simulator/

  2. Click on New Simulation

  3. Insert the impl address on sepolia 0xf6024ccbfbb2201c3d43c0c2bbd162d65d4a07c4

  4. Choose Network as Sepolia

  5. Now choose Enter raw input data and fill 0xc4d66de80000000000000000000000005a36ec816a51d76542cf45f7f7c24ced5b1671e900000000000000000000000000000000000000000000000000000000

  6. Click on Simulate Transaction

The above input data is call data encoding of initialize(address)

PreviousAttackathon _ Fuel Network 32302 - [Smart Contract - Low] Src ContractConfigurables hash collisionNextAttackathon _ Fuel Network 32327 - [Websites and Applications - Low] REVISED Malicious Downtime via

Last updated

Was this helpful?