Unchecked calldata
Report ID
#14849
Target
Report type
Smart Contract
Impacts
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Has PoC?
Yes
Bug Description
the contract's pipe
, multiPipe
, and advancedPipe
functions accept calldata as an input and pass it directly to the _pipe
and _advancedPipe
functions without any validation or sanitization. This could potentially allow an attacker to pass malicious calldata to the contract and execute arbitrary code or trigger unintended behavior.
Calldata is data that is passed to a contract function as an input and is used to encode function arguments and other data. In Solidity, calldata is an immutable type that represents a byte array that can be passed to a contract function as an argument. When calldata is passed to a contract function, it can be accessed and decoded using the abi.decode
function or other decoding functions.
This means that if an attacker passes malicious calldata to the contract that includes a function call that transfers funds or assets from the contract, the contract could potentially lose funds as a result of the attack.
Recommendation
Here are some specific steps that can be taken to fix this issue:
- Add input validation: The first step to fix this vulnerability is to add input validation to the
pipe
,multiPipe
, andadvancedPipe
functions to ensure that the calldata passed to the contract is properly formatted and does not include any malicious code or data. This can be done using Solidity'srequire
function or other validation methods to ensure that the calldata is in the correct format. - Sanitize calldata: After validating the calldata, it is important to sanitize the data to ensure that it does not include any malicious code or data. This can be done by using the
abi.decode
function or other decoding functions to properly decode the calldata and ensure that it does not include any malicious code or data. - Check the return values of external contract calls: In addition to validating and sanitizing calldata, it is also important to properly check the return values of external contract calls to ensure that the contract is behaving as intended and to prevent security vulnerabilities. To do this, the contract should check the return value of each external contract call and take appropriate action if the call fails or returns an unexpected value.
Proof of concept
Here is an example of how an attacker could exploit the unchecked calldata vulnerability in the pipe
function:
To test this exploit, deploy the Pipeline
contract and then deploy the Attacker
contract, passing the address of the Pipeline
contract as an argument. Then call the attack
function of the Attacker
contract to trigger the attack.
This exploit demonstrates how an attacker could pass malicious calldata to the pipe function of the Pipeline
contract, potentially allowing the attacker to execute arbitrary code or trigger unintended behavior.
BIC Reponse
This is not a security bug report because the report outlines expected functionality. Pipeline was built with the philosophy that it is not the smart contract's role to protect users against misuse. Adding validation like suggested in the report would reduce gas efficiency. See the Risk section of the Pipeline whitepaper: https://evmpipeline.org/pipeline.pdf#section.6
Due to these reasons, we are closing the submission and no reward will be issued.