Omniscia 0xPhase Audit
CallLib Manual Review Findings
CallLib Manual Review Findings
CLB-01M: Weak Validation of Call Result
Type | Severity | Location |
---|---|---|
Logical Fault | CallLib.sol:L79-L81 |
Description:
The CallLib::verifyCallResult
function in use by its function-calling methods does not validate the result adequately. In detail, the CallLib::verifyCallResult
will "succeed" when validating a call made to a non-contract address
which is incorrect.
Impact:
Calls performed via the CallLib
to non-contract addresses with no return signature in the function interface utilized would execute "successfully" even though no code was actually executed.
Example:
67/// @notice Verifies if a contract call succeeded68/// @param success If the call itself succeeded69/// @param result The result of the call70/// @param target The called contract71/// @param method The method type, call or delegateCall72/// @return The result of the call73function verifyCallResult(74 bool success,75 bytes memory result,76 address target,77 string memory method78) internal pure returns (bytes memory) {79 if (success) {80 return result;81 }82
83 if (result.length == 0)84 revert(85 string.concat(86 "CallLib: Function ",87 method,88 " reverted silently for ",89 Strings.toHexString(target)90 )91 );92
93 // solhint-disable-next-line no-inline-assembly94 assembly {95 revert(add(32, result), mload(result))96 }97}
Recommendation:
We advise the CallLib::verifyCallResult
to introduce new code in its success
conditional that evaluates whether result.length
is 0
and in such a case ensures that the target
address has a non-zero code size (i.e. target.code.length > 0
).
Alleviation (3dd3d7bf0c2693b2f9c23bacedfa420393f7ea84):
The code was updated to properly evaluate that the target represents a smart contract if no return data was yielded and a successful execution was signalled, alleviating this exhibit.