Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some bytes may be emitted when we check the call data #48

Closed
howlbot-integration bot opened this issue Oct 27, 2024 · 2 comments
Closed

Some bytes may be emitted when we check the call data #48

howlbot-integration bot opened this issue Oct 27, 2024 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-17 🤖_24_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-10-kleidi/blob/ab89bcb443249e1524496b694ddb19e298dca799/src/BytesHelper.sol#L35-L58

Vulnerability details

Proof of Concept

In Timelock contract, we can assign hot assign's valid behaviour via addCalldataChecks. The hot signers can execute the whitelist calldata transaction.
The problem is that some bytes in the whole calldata will be missed in the calldata check. This will decrease the calldata check's safety.

When we try to add several index, we have one check to make sure there will be any overlap between two different index.
For example:
The first index is from 4 to 8. (startIndex=4, endIndex=8)
If we want to add one second index, the minimum startIndex should be 9. Imagine the second index is from 9 to 12.(startIndex=9, endIndex=12)
The problem is that when we want to check the first index, we will get one sliced bytes via sliceBytes(). The byte index 4,5,6,7 will be included into the return value sliced. The endIndex 8 for the first index is not included into the sliced.
When we go on checking the second index, we will get another sliced bytes, the byte index 9,10,11 will be included the second sliced.
From the above example, we will miss the byte index 8 in the calldata checking even if we don't leave any gap between the first index and the second index.

The impact for this is serious. Because that some input parameters cannot be checked via checkCalldata.

    function _addCalldataCheck(
        address contractAddress,
        bytes4 selector,
        uint16 startIndex,
        uint16 endIndex,
        bytes[] memory data // Here the data is bytes[], 
    ) private {
        ...
                require(
                    startIndex > indexes[i].endIndex
                        || endIndex < indexes[i].startIndex,
                    "CalldataList: Partial check overlap"
                );
        ...
}
    function sliceBytes(bytes memory toSlice, uint256 start, uint256 end)
        public
        pure
        returns (bytes memory)
    {
        require(
            start < toSlice.length,
            "Start index is greater than the length of the byte string"
        );
        require(
            end <= toSlice.length,
            "End index is greater than the length of the byte string"
        );
        require(start < end, "Start index not less than end index");

        uint256 length = end - start;
        bytes memory sliced = new bytes(length);
        // For example, start = 4, end = 8
        // The first byte is toSlice[start] = toSlice[4], the last byte is toSlice[7]
        for (uint256 i = 0; i < length; i++) {
            sliced[i] = toSlice[i + start];
        }

        return sliced;
    }

Recommended Mitigation Steps

If we keep current sliceBytes's implementation, it means that when we check one index(startIndex, endIndex), the startIndex will be included into this index calldata check and endIndex will be not included into this calldata check.
Based on above implementation, when we create one second index, the second index's startIndex can equal to the previous index's endIndex.

                require(
                    startIndex > indexes[i].endIndex
                        || endIndex < indexes[i].startIndex,
                    "CalldataList: Partial check overlap"
                );

Assessed type

Context
@howlbot-integration howlbot-integration bot added 3 (High Risk) Assets can be stolen/lost/compromised directly 🤖_24_group AI based duplicate group recommendation bug Something isn't working duplicate-2 sufficient quality report This report is of sufficient quality labels Oct 27, 2024
howlbot-integration bot added a commit that referenced this issue Oct 27, 2024
@howlbot-integration
0x37 issue #48
b967a40
@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Oct 31, 2024
@c4-judge
Copy link

GalloDaSballo marked the issue as satisfactory

@c4-judge
Copy link

c4-judge commented Nov 4, 2024

GalloDaSballo changed the severity to 2 (Med Risk)

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue duplicate-17 and removed 3 (High Risk) Assets can be stolen/lost/compromised directly duplicate-2 labels Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-17 🤖_24_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c4-judge