Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
advancedPipe functions accept calldata as an input and pass it directly to the
_advancedPipe functions without any validation or sanitization. This could potentially allow an attacker to pass malicious calldata to the contract and execute arbitrary code or trigger unintended behavior.
Calldata is data that is passed to a contract function as an input and is used to encode function arguments and other data. In Solidity, calldata is an immutable type that represents a byte array that can be passed to a contract function as an argument. When calldata is passed to a contract function, it can be accessed and decoded using the
abi.decode function or other decoding functions.
This means that if an attacker passes malicious calldata to the contract that includes a function call that transfers funds or assets from the contract, the contract could potentially lose funds as a result of the attack.
Here are some specific steps that can be taken to fix this issue:
- Add input validation: The first step to fix this vulnerability is to add input validation to the
advancedPipefunctions to ensure that the calldata passed to the contract is properly formatted and does not include any malicious code or data. This can be done using Solidity's
requirefunction or other validation methods to ensure that the calldata is in the correct format.
- Sanitize calldata: After validating the calldata, it is important to sanitize the data to ensure that it does not include any malicious code or data. This can be done by using the
abi.decodefunction or other decoding functions to properly decode the calldata and ensure that it does not include any malicious code or data.
- Check the return values of external contract calls: In addition to validating and sanitizing calldata, it is also important to properly check the return values of external contract calls to ensure that the contract is behaving as intended and to prevent security vulnerabilities. To do this, the contract should check the return value of each external contract call and take appropriate action if the call fails or returns an unexpected value.
Proof of concept
Here is an example of how an attacker could exploit the unchecked calldata vulnerability in the
To test this exploit, deploy the
Pipeline contract and then deploy the
Attacker contract, passing the address of the
Pipeline contract as an argument. Then call the
attack function of the
Attacker contract to trigger the attack.
This exploit demonstrates how an attacker could pass malicious calldata to the pipe function of the
Pipeline contract, potentially allowing the attacker to execute arbitrary code or trigger unintended behavior.
This is not a security bug report because the report outlines expected functionality. Pipeline was built with the philosophy that it is not the smart contract's role to protect users against misuse. Adding validation like suggested in the report would reduce gas efficiency. See the Risk section of the Pipeline whitepaper: https://evmpipeline.org/pipeline.pdf#section.6
Due to these reasons, we are closing the submission and no reward will be issued.