Petite Spruce Mammoth
Medium
Unauthorized facet functionality will let attackers to gain access to restricted functions in LibDiamond.sol
In a Diamond Standard architecture, where multiple facets manage different functionalities, it's crucial that function calls are routed properly through the correct facet. The vulnerability allows unauthorized facets to be added or existing facets to be modified improperly, it can lead to unauthorized functionality being exposed or accessed in the contract.
There’s no additional validation of the function selectors in addFunctions
https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/libraries/LibDiamond.sol#L78-L92
and replaceFunctions
,
https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/libraries/LibDiamond.sol#L94-L109
so it’s possible that the contract owner could mistakenly or maliciously add unwanted selectors with full control over the contract. This could open up a backdoor or introduce unintended functionality.
No response
- The contract is using the
LibDiamond.diamondCut()
function to manage facets. - An attacker identifies that there is insufficient validation or improper facet address management (e.g., no verification of the function selectors or facet addresses in
addFunctions()
orreplaceFunctions()
).
- The attacker registers a malicious facet with a function signature collision. This facet may include functions that have the same selector as critical functions (such as fund transfers or privileged admin functions).
- Using the
diamondCut()
functionality, the attacker can either: add their own malicious facet using theAdd action
or replace an existing facet using theReplace
action. For example:
function addMaliciousFacet() external {
IDiamondCut.FacetCut;
bytes4;
selectors[0] = this.maliciousFunction.selector; // A function that overlaps a critical selector
cut[0] = IDiamondCut.FacetCut({
facetAddress: address(this),
action: IDiamondCut.FacetCutAction.Add,
functionSelectors: selectors
});
LibDiamond.diamondCut(cut, address(0), ""); // Adds malicious functionality
}
function maliciousFunction() external {
// Code for unauthorized functionality like stealing funds
}
- The attacker now has control over functionality tied to critical selectors. They can call this malicious facet's function or overwrite legitimate functionality, potentially allowing them to: 3.1. Drain funds. 3.2. Escalate privileges (e.g., becoming contract owner). 3.3. Tamper with core business logic (e.g., change fees, manipulate data).
- Attackers can gain access to restricted functions within the contract, such as administrative controls, fund management, or other high-privilege actions.
- If the unauthorized functionality includes fund management (e.g., transferring tokens), the attacker could drain assets from the contract.
- The attacker could replace facets responsible for access control, thereby taking over the contract’s ownership and administrative rights.
- By replacing facets, the attacker could cause key functions (e.g., financial operations, voting mechanisms) to break, leading to operational failure.
No response
You could restrict or whitelist certain selectors or ensure only specific, predefined facets can be added or modified.