29067 - [SC - Low] Puffer Finance Missing Verification of Externa...

Submitted on Mar 6th 2024 at 12:04:59 UTC by @Norah for Boost | Puffer Finance

Report ID: #29067

Report type: Smart Contract

Report severity: Low

Target: https://etherscan.io/address/0x3C28B7c7Ba1A1f55c9Ce66b263B33B204f2126eA#code

Impacts:

Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

Timelock.sol has executeTransaction() function which takes the target address, calldata and operation ID as arguments, and it calls the function specified in calldata along with the argument values on the target address.

Vulnerability Details

First of all, there is no input validation on the target address as well as the call data being supplied in the argument, which is fine. But there is no check on whether the external call succeeded or not.

       .
       .
       .

        if (block.timestamp < lockedUntil) {
            revert Locked(txHash, lockedUntil);
        }

        queue[txHash] = 0;
        (success, returnData) = _executeTransaction(target, callData);

        emit TransactionExecuted(txHash, target, callData, operationId);

        return (success, returnData);

        .
        .
        .
      
       function _executeTransaction(address target, bytes calldata callData) internal returns (bool, bytes memory) {
        return target.call(callData);
    }

While, current implementation does catch boolean return by external call indication success or failure of the same.

But, there is no check placed using that boolean to verify the transaction succeeded or not.

Impact Details

In cases, where wrong inputs (like non-existent address or incorrect signatures) are provided to executeTransaction i, the external call will silently fail.

Recommendation

        .
        .
        .

        if (block.timestamp < lockedUntil) {
            revert Locked(txHash, lockedUntil);
        }

        queue[txHash] = 0;
        (success, returnData) = _executeTransaction(target, callData);

+++     require(success, "Transaction failed");

        emit TransactionExecuted(txHash, target, callData, operationId);

        return (success, returnData);

      }

References

Add any relevant links to documentation or code

Proof of Concept

Add below tests in the timelock.t.sol file in the current test suite :
https://github.com/PufferFinance/pufETH/blob/main/test/unit/Timelock.t.sol

   function testCalltoNonExistentAddress() public {

        vm.startPrank(timelock.OPERATIONS_MULTISIG());

        bytes memory callData = abi.encodeCall(Timelock.setDelay, (15 days));

        uint256 operationId = 1234;

        uint snap = vm.snapshot();

        //Non-existent is provided instead of timelock address
        address nonExistentAddress = address(0xDead);
        bytes32 codehash;
        assembly { 
            codehash := extcodehash(nonExistentAddress) 
        }
        assert(codehash == 0x0);
        bytes32 txHash = timelock.queueTransaction(nonExistentAddress, callData, operationId);

        uint256 lockedUntil = block.timestamp + timelock.delay();

        vm.warp(lockedUntil + 1);

        //This should have reverted.
        timelock.executeTransaction(nonExistentAddress, callData, operationId);

        vm.revertTo(snap);

    }

    function testNonExistentMethod() public {

        vm.startPrank(timelock.OPERATIONS_MULTISIG());

        //signature of non existent method
        bytes memory callData = bytes('0xaaaaaaaa');

        uint256 operationId = 1234;

        bytes32 txHash = timelock.queueTransaction(address(timelock), callData, operationId);

        uint256 lockedUntil = block.timestamp + timelock.delay();

        vm.warp(lockedUntil + 1);

        //This will succeed without reverting
        timelock.executeTransaction(address(timelock), callData, operationId);

    }

Previous29060 - [SC - Medium] initiateETHWithdrawalsFromLido decreases totalA...Next29073 - [SC - Insight] excuteTransaction in timelock contract will una...

Last updated 2 months ago