📄

Report #23205

Report Date
August 14, 2023
Status
Closed
Payout

Unvalidated Input in advancedPipe Function Puts Contract/Funds at Risk

Report Info

Report ID

#23205

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xDEb0f00071497a5cc9b4A6B96068277e57A82Ae2

Impacts

  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Bug Description

The vulnerability lies in the _advancedPipe function, which is called by the attacker contract with malicious input. The code lacks input validation checks, allowing the attacker to pass in pipes that exploit vulnerabilities in the _advancedPipe function.

An attacker can abuse this vulnerability in several ways. For example, they can pass in pipes that execute unauthorized operations, such as modifying states or accessing restricted resources. This can lead to a breach of security and compromise the integrity of the contract.

Another potential attack vector is draining funds. By passing in malicious pipes, an attacker can manipulate the contract's logic to transfer funds to unauthorized addresses or drain funds from the system entirely. This can result in significant financial losses and undermine the trust in the contract.

Furthermore, the absence of safety checks allows an attacker to pass in unsafe or unreasonable values. For instance, an attacker can input values that cause arithmetic overflows, division by zero, or other unexpected behaviors. This can lead to contract failure, unexpected state changes, or loss of funds.

Impact

The given code is vulnerable to abuse by an attacker through the _advancedPipe function. The lack of input validation and safety checks allows an attacker to pass in malicious pipes that exploit vulnerabilities in the _advancedPipe function. This can result in unauthorized operations, fund draining, or contract failure. Additionally, the absence of proper validation and exception handling makes it possible for an attacker to pass in unsafe or unreasonable values, leading to unexpected outcomes.

Vulnerable code

    function advancedPipe(AdvancedPipeCall[] calldata pipes, uint256 value)
        external
        payable
        returns (bytes[] memory results)
    {
        results = IPipeline(PIPELINE).advancedPipe{value: value}(pipes);
        LibEth.refundEth();
    }
 function advancedPipe(AdvancedPipeCall[] calldata pipes)
        external
        payable
        override
        returns (bytes[] memory results) {
            results = new bytes[](pipes.length);
            for (uint256 i = 0; i < pipes.length; ++i) {
                results[i] = _advancedPipe(pipes[i], results);
            }
        }

Proof of concept

To reproduce the attack, an attacker would need to deploy a malicious contract that calls the vulnerable _advancedPipe function with carefully crafted pipes. These pipes would exploit the vulnerabilities in the function, either by executing unauthorized operations or manipulating the contract's logic to drain funds.

Steps to reproduce the attack:

  1. Deploy the malicious contract.
  2. Call the _advancedPipe function of the target contract, passing in the malicious pipes as input.
  3. Exploit the vulnerabilities in the _advancedPipe function to execute unauthorized operations or drain funds from the system.

BIC Response

This is not a valid bug report because unexpected outcomes (like loss of funds) due to misuse of Pipeline do not qualify. Read more here: https://evmpipeline.org/pipeline.pdf#section.6

Due to these reasons, we are closing the submission and no reward will be issued.