{"componentChunkName":"component---node-modules-rocketseat-gatsby-theme-docs-core-src-templates-docs-query-js","path":"/manual-review/TransferRewardMixerStorage-TRS","result":{"data":{"mdx":{"id":"ca852ab3-d7ae-5af9-b60a-5ab1ca3e079f","excerpt":"TRS-01M: Arbitrary Self-Call Construction Type Severity Location Logical Fault TransferRewardMixerStorage.sol:L134 , L135 , L217 , L264 Description: Theā€¦","fields":{"slug":"/manual-review/TransferRewardMixerStorage-TRS/"},"frontmatter":{"title":"TransferRewardMixerStorage Manual Review Findings","description":"Contains all the findings that relate to manual review on the contract codebase","image":null,"disableTableOfContents":null},"body":"var _excluded = [\"components\"];\n\nfunction _extends() { _extends = Object.assign || function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\n\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\n\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n\n/* @jsxRuntime classic */\n\n/* @jsx mdx */\nvar _frontmatter = {\n \"title\": \"TransferRewardMixerStorage Manual Review Findings\",\n \"description\": \"Contains all the findings that relate to manual review on the contract codebase\"\n};\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, _excluded);\n\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"h2\", {\n \"id\": \"span-idtrs-01mtrs-01m-arbitrary-self-call-constructionspan\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#span-idtrs-01mtrs-01m-arbitrary-self-call-constructionspan\",\n \"aria-label\": \"span idtrs 01mtrs 01m arbitrary self call constructionspan permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), mdx(\"span\", {\n id: \"TRS-01M\"\n }, \"TRS-01M: Arbitrary Self-Call Construction\")), mdx(\"table\", null, mdx(\"thead\", {\n parentName: \"table\"\n }, mdx(\"tr\", {\n parentName: \"thead\"\n }, mdx(\"th\", {\n parentName: \"tr\",\n \"align\": null\n }, \"Type\"), mdx(\"th\", {\n parentName: \"tr\",\n \"align\": null\n }, \"Severity\"), mdx(\"th\", {\n parentName: \"tr\",\n \"align\": null\n }, \"Location\"))), mdx(\"tbody\", {\n parentName: \"table\"\n }, mdx(\"tr\", {\n parentName: \"tbody\"\n }, mdx(\"td\", {\n parentName: \"tr\",\n \"align\": null\n }, mdx(\"a\", {\n parentName: \"td\",\n \"href\": \"/reports/evergon-labs-tmi-staking-protocol-674eaeb16dc0450018dd65fb/appendix/finding-types#logical-fault\"\n }, \"Logical Fault\")), mdx(\"td\", {\n parentName: \"tr\",\n \"align\": null\n }, mdx(\"img\", {\n parentName: \"td\",\n \"className\": \"o-severity o-medium\",\n \"src\": \"https://omniscia.io/report-assets/medium.png\"\n })), mdx(\"td\", {\n parentName: \"tr\",\n \"align\": null\n }, mdx(\"a\", {\n parentName: \"td\",\n \"href\": \"https://github.com/evergonlabs/StakingProtocol/blob/dd3cd83a38dbea2dad34f7dc82c835f1793d5459/packages/contracts/contracts/transfers/reward/TransferRewardMixerStorage.sol#L134\"\n }, \"TransferRewardMixerStorage.sol:L134\"), \", \", mdx(\"a\", {\n parentName: \"td\",\n \"href\": \"https://github.com/evergonlabs/StakingProtocol/blob/dd3cd83a38dbea2dad34f7dc82c835f1793d5459/packages/contracts/contracts/transfers/reward/TransferRewardMixerStorage.sol#L135\"\n }, \"L135\"), \", \", mdx(\"a\", {\n parentName: \"td\",\n \"href\": \"https://github.com/evergonlabs/StakingProtocol/blob/dd3cd83a38dbea2dad34f7dc82c835f1793d5459/packages/contracts/contracts/transfers/reward/TransferRewardMixerStorage.sol#L217\"\n }, \"L217\"), \", \", mdx(\"a\", {\n parentName: \"td\",\n \"href\": \"https://github.com/evergonlabs/StakingProtocol/blob/dd3cd83a38dbea2dad34f7dc82c835f1793d5459/packages/contracts/contracts/transfers/reward/TransferRewardMixerStorage.sol#L264\"\n }, \"L264\"))))), mdx(\"h3\", {\n \"id\": \"description\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#description\",\n \"aria-label\": \"description permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Description:\"), mdx(\"p\", null, \"The Evergon Labs Diamond responsible for handling the various functionalities of the staking system relies on several assumptions in its internal cross-facet calls that are generally upheld via usage of the \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://github.com/evergonlabs/StakingProtocol/blob/dd3cd83a38dbea2dad34f7dc82c835f1793d5459/packages/contracts/contracts/helpers/DelegateCallee.sol#L39-L44\"\n }, mdx(\"inlineCode\", {\n parentName: \"a\"\n }, \"DelegateCallee::onlyInternalDelegateCall\")), \" modifier, ensuring that the caller of a function is the Diamond itself.\"), mdx(\"p\", null, \"This security measure can be bypassed entirely due to the \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"TransferRewardMixerStorage\"), \" implementation that allows any selector to be set as a \\\"setter\\\" for a particular asset. While the \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"campaignId\"), \" being interfixed between the function selector utilized and the remaining function payload restricts the malicious actions to a particular campaign ID, it still allows certain functionality of a campaign to be accessed outside their normal execution flows.\"), mdx(\"h3\", {\n \"id\": \"impact\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#impact\",\n \"aria-label\": \"impact permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Impact:\"), mdx(\"p\", null, \"Although restrained in severity due to the injection of the \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"campaignId\"), \" variable, we still believe that the current arbitrary-selector input mechanism is insecure and might cause cross-facet complications especially as new facets are introduced to the Diamond implementation.\"), mdx(\"h3\", {\n \"id\": \"example\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#example\",\n \"aria-label\": \"example permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Example:\"), mdx(\"pre\", null, mdx(\"code\", {\n parentName: \"pre\",\n \"className\": \"language-sol\",\n \"metastring\": \"title=packages/contracts/contracts/transfers/reward/TransferRewardMixerStorage.sol highlight={9,14} lineNumbers=true lineOffset=203\",\n \"title\": \"packages/contracts/contracts/transfers/reward/TransferRewardMixerStorage.sol\",\n \"highlight\": \"{9,14}\",\n \"lineNumbers\": \"true\",\n \"lineOffset\": \"203\"\n }, \"for (uint256 i; i < length; i++) {\\n uint256 assetTypeCode = rewardAssetTypeCodes[i];\\n\\n if (!l.isRewardAssetTypeSupported[assetTypeCode]) {\\n revert UnsupportedRewardAssetType(assetTypeCode);\\n }\\n\\n bytes memory callDataInput = abi.encodeWithSelector(\\n l.setterSelectorForAssetType[assetTypeCode],\\n campaignId,\\n campaignRewardData[i]\\n );\\n\\n (bool success, bytes memory result) = address(this).call(callDataInput);\\n if (success == false) {\\n assembly {\\n revert(add(result, 32), mload(result))\\n }\\n }\\n\\n // Store the reward asset type code for campaignId\\n campaignRewardAssetInfo.activeRewardAssetTypeCodes[i] = assetTypeCode;\\n}\\n\")), mdx(\"h3\", {\n \"id\": \"recommendation\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#recommendation\",\n \"aria-label\": \"recommendation permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Recommendation:\"), mdx(\"p\", null, \"We advise a strict subset of function signatures to be permitted as configurable in the \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://github.com/evergonlabs/StakingProtocol/blob/dd3cd83a38dbea2dad34f7dc82c835f1793d5459/packages/contracts/contracts/transfers/reward/TransferRewardMixerStorage.sol#L181-L229\"\n }, mdx(\"inlineCode\", {\n parentName: \"a\"\n }, \"TransferRewardMixerStorage::setCampaignTransferRewards\")), \" function (i.e. \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://github.com/evergonlabs/StakingProtocol/blob/dd3cd83a38dbea2dad34f7dc82c835f1793d5459/packages/contracts/contracts/transfers/reward/erc20/minter/Erc20RewardMinterExplicitFacet.sol#L112-L128\"\n }, mdx(\"inlineCode\", {\n parentName: \"a\"\n }, \"Erc20RewardMinterExplicitFacet::transferErc20MinterReward\")), \", \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://github.com/evergonlabs/StakingProtocol/blob/dd3cd83a38dbea2dad34f7dc82c835f1793d5459/packages/contracts/contracts/transfers/reward/erc20/transferrer/Erc20RewardTransferExplicitFacet.sol#L111-L119\"\n }, mdx(\"inlineCode\", {\n parentName: \"a\"\n }, \"Erc20RewardTransferExplicitFacet::transferErc20Reward\")), \", \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://github.com/evergonlabs/StakingProtocol/blob/dd3cd83a38dbea2dad34f7dc82c835f1793d5459/packages/contracts/contracts/transfers/reward/erc1155/minter/Erc1155RewardMinterExplicitFacet.sol#L118-L134\"\n }, mdx(\"inlineCode\", {\n parentName: \"a\"\n }, \"Erc1155RewardMinterExplicitFacet::transferErc1155MinterReward\")), \", \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://github.com/evergonlabs/StakingProtocol/blob/dd3cd83a38dbea2dad34f7dc82c835f1793d5459/packages/contracts/contracts/transfers/reward/erc1155/transferrer/Erc1155RewardTransferExplicitFacet.sol#L119-L127\"\n }, mdx(\"inlineCode\", {\n parentName: \"a\"\n }, \"Erc1155RewardTransferExplicitFacet::transferErc1155Reward\")), \") ensuring that such malfunctions are not permitted via carefully crafted input packet configurations.\"), mdx(\"h3\", {\n \"id\": \"alleviation-b64b659786cf3c84bea52feb3a69f546ba3601f0\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#alleviation-b64b659786cf3c84bea52feb3a69f546ba3601f0\",\n \"aria-label\": \"alleviation b64b659786cf3c84bea52feb3a69f546ba3601f0 permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Alleviation (b64b659786cf3c84bea52feb3a69f546ba3601f0):\"), mdx(\"p\", null, \"The function selectors for performing transfers as well as implementing setters are now strictly validated as explicitly supported, preventing arbitrary self-calls from being constructed and thus alleviating this exhibit in full.\"), mdx(ViewDiffButton, {\n repoUrl: \"https://github.com/evergonlabs/StakingProtocol\",\n mainHash: \"dd3cd83a38dbea2dad34f7dc82c835f1793d5459\",\n fixHash: \"b64b659786cf3c84bea52feb3a69f546ba3601f0\",\n gitHubIssue: \"62\",\n mdxType: \"ViewDiffButton\"\n }));\n}\n;\nMDXContent.isMDXComponent = true;","headings":[{"depth":2,"value":"TRS-01M: Arbitrary Self-Call Construction"},{"depth":3,"value":"Description:"},{"depth":3,"value":"Impact:"},{"depth":3,"value":"Example:"},{"depth":3,"value":"Recommendation:"},{"depth":3,"value":"Alleviation (b64b659786cf3c84bea52feb3a69f546ba3601f0):"}]}},"pageContext":{"slug":"/manual-review/TransferRewardMixerStorage-TRS/","prev":{"label":"TransferInputMixerStorage.sol (TIS-M)","link":"/manual-review/TransferInputMixerStorage-TIS"},"next":{"label":"AccessControlFacetStorage.sol (ACS-C)","link":"/code-style/AccessControlFacetStorage-ACS"}}},"staticQueryHashes":["1954253342","2328931024","2501019404","973074209"]}