29149 - [SC - Insight] DoS in Zero Registry configuration updation

Submitted on Mar 8th 2024 at 17:44:51 UTC by @oxumarkhatab for Boost | ZeroLend

Report ID: #29149

Report type: Smart Contract

Report severity: Insight

Target: https://github.com/zerolend/governance

Impacts:

• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Description

Brief/Intro

The zero registry will not update the configuration in it's storage due to incomplete implementation.

Vulnerability Details

The ZeroRegistry contains many onlyOwner functions among which setPoolConfiguratorImpl is the one. It takes newPool configuration and supposed to update the implementation logic.

  function setPoolConfiguratorImpl(
        address newPoolConfiguratorImpl
    ) external override onlyOwner {
        address oldPoolConfiguratorImpl = _getProxyImplementation(
            POOL_CONFIGURATOR
        );
        _updateImpl(POOL_CONFIGURATOR, newPoolConfiguratorImpl);
        emit PoolConfiguratorUpdated(
            oldPoolConfiguratorImpl,
            newPoolConfiguratorImpl
        );
    }

However , due to incomplete implementation of _getProxyImplementation & _updateImpl,

_getProxyImplementation will always result 0

and _updateImpl wil always pass and do no storage updates

This function does not store or update anything, leading to denial of service for owner. ( technically it stores the new implementation address always at the zero proxy address which is logical flaw)

In an event where the configuration's implementation has to be updated and otherwise a lot of funds would be at risk, this function will fail to secure the protocol and cause un-intended behaviour causing DoS of updation of configurations.

Impact Details

Protocol functioning damage - Updates through registry can not be done due to in-complete logic implementation.

References

see PoC for details

Proof of Concept

Although it's clear from the above report description , you can visualize the scenario from this PoC