Omniscia 0xPhase Audit

CallLib Manual Review Findings

CallLib Manual Review Findings

CLB-01M: Weak Validation of Call Result

TypeSeverityLocation
Logical FaultCallLib.sol:L79-L81

Description:

The CallLib::verifyCallResult function in use by its function-calling methods does not validate the result adequately. In detail, the CallLib::verifyCallResult will "succeed" when validating a call made to a non-contract address which is incorrect.

Impact:

Calls performed via the CallLib to non-contract addresses with no return signature in the function interface utilized would execute "successfully" even though no code was actually executed.

Example:

lib/CallLib.sol
67/// @notice Verifies if a contract call succeeded
68/// @param success If the call itself succeeded
69/// @param result The result of the call
70/// @param target The called contract
71/// @param method The method type, call or delegateCall
72/// @return The result of the call
73function verifyCallResult(
74 bool success,
75 bytes memory result,
76 address target,
77 string memory method
78) internal pure returns (bytes memory) {
79 if (success) {
80 return result;
81 }
82
83 if (result.length == 0)
84 revert(
85 string.concat(
86 "CallLib: Function ",
87 method,
88 " reverted silently for ",
89 Strings.toHexString(target)
90 )
91 );
92
93 // solhint-disable-next-line no-inline-assembly
94 assembly {
95 revert(add(32, result), mload(result))
96 }
97}

Recommendation:

We advise the CallLib::verifyCallResult to introduce new code in its success conditional that evaluates whether result.length is 0 and in such a case ensures that the target address has a non-zero code size (i.e. target.code.length > 0).

Alleviation (3dd3d7bf0c2693b2f9c23bacedfa420393f7ea84):

The code was updated to properly evaluate that the target represents a smart contract if no return data was yielded and a successful execution was signalled, alleviating this exhibit.