Unvalidated Input in advancedPipe Function Puts Contract/Funds at Risk
Report ID
#23205
Report type
Smart Contract
Has PoC?
Yes
Target
Impacts
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Bug Description
The vulnerability lies in the _advancedPipe function, which is called by the attacker contract with malicious input. The code lacks input validation checks, allowing the attacker to pass in pipes that exploit vulnerabilities in the _advancedPipe function.
An attacker can abuse this vulnerability in several ways. For example, they can pass in pipes that execute unauthorized operations, such as modifying states or accessing restricted resources. This can lead to a breach of security and compromise the integrity of the contract.
Another potential attack vector is draining funds. By passing in malicious pipes, an attacker can manipulate the contract's logic to transfer funds to unauthorized addresses or drain funds from the system entirely. This can result in significant financial losses and undermine the trust in the contract.
Furthermore, the absence of safety checks allows an attacker to pass in unsafe or unreasonable values. For instance, an attacker can input values that cause arithmetic overflows, division by zero, or other unexpected behaviors. This can lead to contract failure, unexpected state changes, or loss of funds.
Impact
The given code is vulnerable to abuse by an attacker through the _advancedPipe function. The lack of input validation and safety checks allows an attacker to pass in malicious pipes that exploit vulnerabilities in the _advancedPipe function. This can result in unauthorized operations, fund draining, or contract failure. Additionally, the absence of proper validation and exception handling makes it possible for an attacker to pass in unsafe or unreasonable values, leading to unexpected outcomes.
Vulnerable code
function advancedPipe(AdvancedPipeCall[] calldata pipes, uint256 value)
external
payable
returns (bytes[] memory results)
{
results = IPipeline(PIPELINE).advancedPipe{value: value}(pipes);
LibEth.refundEth();
} function advancedPipe(AdvancedPipeCall[] calldata pipes)
external
payable
override
returns (bytes[] memory results) {
results = new bytes[](pipes.length);
for (uint256 i = 0; i < pipes.length; ++i) {
results[i] = _advancedPipe(pipes[i], results);
}
}Proof of concept
To reproduce the attack, an attacker would need to deploy a malicious contract that calls the vulnerable _advancedPipe function with carefully crafted pipes. These pipes would exploit the vulnerabilities in the function, either by executing unauthorized operations or manipulating the contract's logic to drain funds.
Steps to reproduce the attack:
- Deploy the malicious contract.
- Call the _advancedPipe function of the target contract, passing in the malicious pipes as input.
- Exploit the vulnerabilities in the _advancedPipe function to execute unauthorized operations or drain funds from the system.
BIC Response
This is not a valid bug report because unexpected outcomes (like loss of funds) due to misuse of Pipeline do not qualify. Read more here: https://evmpipeline.org/pipeline.pdf#section.6
Due to these reasons, we are closing the submission and no reward will be issued.