Arbitrary Function Call Vulnerability in Aquifer Contract's boreWell Function
Report ID
#23897
Report type
Smart Contract
Has PoC?
Yes
Target
Impacts
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Bug Description
The Aquifer
contract uses a call function with user-provided data (initFunctionCal
l) in the boreWell
function. This allows for arbitrary function calls, which could be exploited by an attacker to call any function in the newly cloned contract before anyone else.
Impact
An attacker could potentially exploit this vulnerability to take control of the newly cloned contract. For example, if the cloned contract has a function that sets an owner, an attacker could call this function and set themselves as the owner.
Proof of concept
Consider a hypothetical scenario where the Well contract has a function that allows setting an owner:
contract MaliciousWell {
address public owner;
function setOwner(address _owner) public {
owner = _owner;
}
}
An attacker could exploit the initFunctionCall
to set themselves as the owner of the newly cloned contract:
// Assume `maliciousWell` is the address of the MaliciousWell contract
// Assume `aquifer` is the address of the Aquifer contract
// Assume `attacker` is the address of the attacker
bytes memory initFunctionCall = abi.encodeWithSignature("setOwner(address)", attacker);
aquifer.boreWell(maliciousWell, "", initFunctionCall, "some_salt");
In this example, the initFunctionCall
is set to call the setOwner
function with the attacker's address as the parameter. When the Aquifer
contract clones the MaliciousWell
contract and calls the initFunctionCall
, the attacker becomes the owner of the newly cloned contract.
This is a simplified example and the actual exploit could be more complex However, it illustrates the vulnerability of using a call function with user-provided data.
BIC Response
This is not a valid bug report because it described is expected behavior. The same could be done with any multicall contract like Pipeline. If they create the contract, it makes sense that they are able to be the first ones to call a function on the contract.
Due to these reasons, we are closing the submission and no reward will be issued.