ctfnote
  • /home/ret2basic.eth
  • Game Hacking
    • ✅C++
    • Ghidra
    • Cheat Engine
    • Proxy
    • DLL injection
    • Keygen
    • Aimbot
  • Web3 Security Research
    • 👑Web3 Security Research Trivia
    • ✅Solidity
      • ✅Mastering Ethereum
      • ✅Storage
      • ✅Memory
      • ✅Calldata
      • ✅ABI
    • ✅Foundry
      • ✅Introduction
      • ✅How to Write Basic Tests
      • ✅Set Soliditiy Compiler Version
      • ✅Remappings
      • ✅Auto Format Code
      • ✅Console Log
      • ✅Authentication
      • ✅Error
      • ✅Event
      • ✅Time
      • ✅Send ETH
      • ✅Signature
      • ✅Fork
      • ✅Mint 1 Million DAI on Mainnet Fork
      • ✅FFI
      • ✅Fuzz
      • ✅Invariant Testing - Part 1
      • Invariant Testing - Part 2
      • Invariant Testing - Part 3
      • Differential Test
    • ✅Secureum
      • ✅Epoch 0
        • ✅Slot 1: Ethereum 101
          • ✅Notes
          • ✅Ethereum Whitepaper
          • ✅Extra Study: What happens when you send 1 DAI
          • ✅Quiz
        • ✅Slot 2: Solidity 101
          • ✅Notes
          • ✅OpenZeppelin ERC20
          • ✅OpenZeppelin ERC721
          • ✅OpenZeppelin Ownable
          • ✅OpenZeppelin Pausable
          • ✅OpenZeppelin ReentrancyGuard
          • ✅Quiz
        • ✅Slot 3: Solidity 201
          • ✅Notes
          • ✅OpenZeppelin SafeERC20
          • ✅OpenZeppelin ERC-777
          • ✅OpenZeppelin ERC-1155
          • ✅OpenZeppelin ERC-3156
          • ✅OpenZeppelin - Proxy Upgrade Pattern
          • ✅Quiz
        • ✅Slot 4: Pitfalls and Best Practices 101
          • ✅Notes
          • ✅Intro to Security First Development
          • ✅Quiz
        • ✅Slot 5: Pitfalls and Best Practices 201
          • ✅Notes
          • So you want to use a price oracle
          • The Dangers of Surprising Code
          • ✅Quiz
        • ✅Slot 6: Auditing Techniques & Tools 101
          • ✅Notes
          • ✅Quiz
        • ✅Slot 7: Audit Findings 101
          • Notes
          • ✅Fei Protocol - ConsenSys
          • ✅Uniswap V3 - Trail of Bits
          • ✅Chainlink - Sigma Prime
          • ✅Opyn Gamma - OpenZeppelin
          • ✅Quiz
        • ✅Slot 8: Audit Findings 201
          • Notes
          • 1inch Liquidity - Consensus
          • Original Dollar - Trail of Bits
          • Synthetix EtherCollateral - Sigma Prime
          • Holdefi - OpenZeppelin
          • Quiz
      • ✅Epoch ∞
        • ✅RACE #4 - ERC20 Implementation
        • ✅RACE #5 - ERC1155 Implementation
        • ✅RACE #6 - ERC721 Application
        • ✅RACE #7 - Bored Ape
        • ✅RACE #8 - ERC721 Roles
        • ✅RACE #9 - Proxy
        • ✅RACE #10 - Test Cases
        • ✅RACE #11 - Staking
        • ✅RACE #12 - ERC20 Permit
        • ✅RACE #13 - ERC20 with Callback
        • ✅RACE #14 - Lending
        • ✅RACE #15 - DEX
        • ✅RACE #16 - Flash Loan
        • ✅RACE #17
    • DeFi
      • Glossary
        • TWAP vs. VWAP
        • Tranches
      • DeFi MOOC
        • Lecture 2: Introduction to Blockchain Technologies
        • Lecture 5: DEX
        • Lecture 6: Decentralized Lending
        • Lecture 10: Privacy on the Blockchain
        • Lecture 12: Practical Smart Contract Security
        • Lecture 13: DeFi Security
      • Uniswap V2
      • Compound V3
        • ✅Whitepaper
        • ✅Interacting with Compound
          • ✅Supply and Redeem
          • ✅Borrow and Repay
          • ✅Liquidation
          • ✅Long and Short
        • ✅Interest Model
        • CToken
      • Aave
      • Chainlink
        • ✅Getting Started
        • ✅Data Feeds
        • ✅VRF
      • Optimism
        • Bedrock
      • LayerZero
      • Opensea
        • Seaport
    • EVM
      • ✅Andreas Antonopoulos - The Ethereum Virtual Machine
      • ✅Program The Blockchain - Smart Contract Storage
      • ✅EVM Codes - EVM Playground for Opcodes
      • ✅Fvictorio - EVM Puzzles
      • ✅Daltyboy11 - More EVM Puzzles
      • ✅EVM Through Huff
      • Noxx - EVM Deep Dives
      • ✅Jordan McKinney - EVM Explained
      • Openzepplin - Deconstructing a Solidity Contract
      • Jeancvllr - EVM Assembly
      • Peter Robinson - Solidity to Bytecode, Memory & Storage
      • Marek Kirejczyk - Ethereum Under The Hood
      • ✅Official Solidity Docs
      • Dissecting EVM using go-ethereum Eth client implementation - deliriusz.eth
    • Vulnerabilities
      • Rounding Issues
        • Kyberswap
      • Bridges
      • Governance / Voting Escrows
      • Bizzare Bug Classes
        • TIME - ERC2771Context + Multicall calldata manipulation
    • Fancy Topics
      • Vulnerabilities SoK
        • ✅Demystifying Exploitable Bugs in Smart Contracts
        • Blockchain Hacking Techniques 2022 Top 10 - Todo
      • yAcademy
        • Proxies
          • yAcademy - Proxy Basics
          • yAcademy - Proxies Deep Dive
          • yAcademy - Security Guide to Proxy Vulns
        • defi-fork-bugs
      • Spearbit
        • ✅Community Workshop: Riley Holterhus
        • Economic Security with fmrmf
        • Numerical Analysis for DeFi Audits: A TWAMM Case Study by Kurt Barry
  • Red Teaming
    • ✅Enumeration
      • Service Enumeration
        • SMTP (Port 25)
        • Samba (Port 139, 445)
        • SNMP (Port 161,162,10161,10162)
        • rsync (Port 873)
        • NFS (Port 2049)
        • Apache JServ Protocol (Port 8081)
        • NetBIOS
      • Nmap
      • Gobuster / Feroxbuster / FUFF / Wfuzz
      • Drupal
    • ✅Exploitation
      • Public Exploits
      • PHP Webshells
      • Reverse Shell
      • TTY
      • File Transfer
      • Metasploit
      • Password Spray
    • ✅Buffer Overflow
      • Step 0: Spiking (Optional)
      • Step 1: Fuzzing
      • Step 2: Finding the Offset
      • Step 3: Overwriting the EIP
      • Step 4: Finding Bad Characters
      • Step 5: Finding the Right Module
      • Step 6: Generating Shellcode and Gaining Root
    • ✅Privilege Escalation
      • Linux Privilege Escalation
        • Linux Permissions
        • Manual Enumeration
        • Automated Tools
        • Kernel Exploits
        • Passwords and File Permissions
        • SSH Keys
        • Sudo
        • SUID
        • Capabilities
        • Cron Jobs
        • NFS Root Squashing
        • Docker
        • GNU C Library
        • Exim
        • Linux Privilege Escalation Course Capstone
      • Windows Privilege Escalation
        • Manual Enumeration
        • Automated Tools
        • Kernel Exploits
        • Passwords and Port Forwarding
        • WSL
        • Token Impersonation and Potato Attacks
        • Meterpreter getsystem
        • Runas
        • UAC Bypass
        • Registry
        • Executable Files
        • Startup Applications
        • DLL Hijacking
        • Service Permissions (Paths)
        • CVE-2019-1388
        • HiveNightmare
        • Bypass Space Filter
    • ✅Post Exploitation
      • Linux Post Exploitation
        • Add a User
        • SSH Key
      • Windows Post Exploitation
        • windows-resources
        • Add a User
        • RDP
    • ✅Pivoting
      • Windows: Chisel
      • Linux: sshuttle
    • Active Directory (AD)
      • Initial Compromise
        • HTA Phishing
        • VBA Macro Phishing
        • LLMNR Poisoning
        • SMB Relay
        • GPP / cPassword
      • Domain Enumeration
        • Manual Enumeration
        • PowerView
        • BloodHound
      • Lateral Movement
        • PsExec
        • WMI
        • Runas
        • Pass the Hash
        • Overpass the Hash
        • Pass the Ticket
      • Kerberos
        • Kerberoast
        • AS-REP Roast
      • MS SQL Server
    • Command & Control (C2)
      • Cobalt Strike
        • Bypassing Defences
          • Artifact Kit
          • Resource Kit
          • AMSI Bypass
          • PowerPick
        • Extending Cobalt Strike
          • Elevate Kit
          • Malleable C2 Profile
      • Metasploit
        • Payloads
        • Post Exploitation
        • Automation
      • C2 Development
    • Malware Development
      • "Hot Dropper"
      • PE Format
        • Overview
      • Process Injection
      • Reflective DLL
      • x86 <=> x64
      • Hooking
      • VeraCry
      • Offensive C#
      • AV Evasion
        • AV Evasion with C# and PowerShell
        • AMSI Bypass
  • Cryptography
    • Hash Functions
    • MAC
    • AES
      • Byte at a Time
      • CBC CCA
      • CBC Bit Flipping
      • CBC Padding Oracle
    • Diffie-Hellman
    • RSA
      • Prime Factors
      • Multiple Ciphertexts
      • Low Public Exponent
      • Low Private Exponent
    • ECC
    • Digital Signature
    • JWT
    • PRNG
    • SSL/TLS
    • Research
      • ✅Lattice-based Cryptography (Lattice)
      • Elliptic Curve Cryptography (ECC)
      • Oblivious Transfer (OT)
      • Secure Multi-party Computation (MPC)
      • Learning with Error (LWE)
      • Fully Homomorphic Encryption (FHE)
      • Zero Knowledge Proof (ZKP)
      • Oblivious RAM (ORAM)
  • Computer Science
    • Linux
      • Setup
      • curl
      • Hard Link vs. Symlink
      • Man Page
      • /dev/null
    • Python
      • New Features
      • Operators, Expressions, and Data Manipulation
      • Program Structure and Control Flow
      • Objects, Types, and Protocols
      • Functions 101
      • Generators
      • Classes and Object-Oriented Programming
      • Memory Management
      • Concurrency and Parallelism
        • Multithreading and Thread Safety
        • Asynchronization
        • Multiprocessing
        • Global Interpreter Lock (GIL)
      • Built-in Functions and Standard Library
        • import collections
        • import itertools
        • import sys
        • import re
        • import pickle
        • import json
      • Third-party Library
        • from pwn import *
        • import requests
        • from bs4 import BeautifulSoup
        • from scapy.all import *
        • py2exe
    • HTML, CSS, JavaScript, and React
      • HTML
      • CSS
      • JavaScript
        • var vs. let
        • Objects
        • Arrays
        • Functions
        • Modules
        • Asynchronous JavaScript
      • React
    • Data Structures and Algorithms
      • Binary Search
    • The Linux Programming Interface
      • Processes
        • Memory Allocation
        • The Process API
        • Process Creation
        • Process Termination
        • Monitoring Child Processes
        • Program Execution
      • Signals
      • Threads
        • Thread Synchronization
        • Thread Safety and Pre-Thread Storage
      • IPC
        • Pipes and FIFOs
        • Memory Mappings
        • Virtual Memory Operations
      • Sockets
    • Computer Systems
      • Hexadecimal
      • Signedness
      • Registers
      • Instructions
      • Syscall
      • Process Memory
      • Stack Frame
      • Preemptive Multitasking
      • IPC
      • Threads
    • Databases
      • MySQL
        • Basic Syntax
        • Data Types
        • Modifying Tables
        • Duplicating and Deleting
        • SELECT
        • Transaction
      • GraphQL
    • Distributed Systems
      • Introduction
        • What is a Distributed System?
        • Design Goals
        • Scaling Techniques
        • Types of Distributed Systems
      • Architecture
        • System Architectures
        • Example Architectures
      • Communication
        • Foundations
        • Remote Procedure Call
        • Message-oriented Communication
      • Coordination
        • Clock Synchronization
        • Logical Clock
      • Consistency and Replication
        • Introduction
        • Data-centric Consistency
        • Client-centric Consistency
    • Static Analysis
      • Intermediate Representation
      • Data Flow Analysis
      • Interprocedural Analysis
      • Pointer Analysis
      • Static Analysis for Security
      • Datalog-Based Program Analysis
      • Soundness and Soundiness
      • CFL-Reachability and IFDS
  • Web
    • ✅Prerequisites
      • OWASP Top 10
        • 1. Broken Access Control
        • 2. Cryptographic Failures
        • 3. Injection
        • 4. Insecure Design
        • 5. Security Misconfiguration
        • 6. Vulnerable and Outdated Components
        • 7. Identification and Authentication Failures
        • 8. Software and Data Integrity Failures
        • 9. Security Logging and Monitoring Failures
        • 10. SSRF
      • HTTP
        • HTTP Status Codes
        • HTTP Headers
      • Burp Suite
        • Burp Intruder
        • Burp Extender
        • Burp Collaborator
      • Information Gathering
        • DNS
        • Git
        • Editor
        • Server
      • Bug Bounty Report Writing
    • File Upload
      • Webshell
      • IIS, Nginx, and Apache Vulnerabilities
      • .htaccess (Apache) / web.config (IIS)
      • Alternate Data Stream
      • Code Review: bWAPP Unrestricted File Upload
    • SQL Injection (SQLi)
      • Cheat Sheet
      • UNION Attacks
      • Examining the Database
      • Blind SQL Injection
      • WAF Bypass
      • Out-Of-Band (OOB)
      • Webshell and UDF
      • sqlmap
        • Code Review: Initialization
        • Code Review: tamper
    • Cross-Site Scripting (XSS)
      • Cheat Sheet
      • Reflected XSS
      • Stored XSS
      • DOM-Based XSS
      • XSS Contexts
      • CSP
    • CSRF and SSRF
      • Client-Side Request Forgery (CSRF)
        • XSS vs. CSRF
        • CSRF Tokens and SameSite Cookies
      • Server-Side Request Forgery (SSRF)
        • Attacks
        • Bypassing Restrictions
        • SSRF + Redis
    • XML External Entities (XXE)
    • Insecure Deserialization
      • Python Deserialization
      • PHP Deserialization
      • Java Deserialization
        • Shiro
        • FastJSON
        • WebLogic
    • HTTP Request Smuggling
    • OS Command Injection
      • Whitespace Bypass
      • Blacklist Bypass
      • Blind OS Command Injection
      • Lab 1: HITCON 2015 BabyFirst
      • Lab 2: HITCON 2017 BabyFirst Revenge
      • Lab 3: HITCON 2017 BabyFirst Revenge v2
    • ✅Directory Traversal
    • HTTP Parameter Pollution
    • Server-Side Template Injection (SSTI)
    • LDAP Injection
    • Redis
      • Authentication
      • RCE
      • Mitigations
  • Pwn
    • Linux Exploitation
      • Protections
      • Shellcoding
        • Calling Convention
        • Null-free
        • Reverse Shell
        • ORW
      • ROP
        • Stack Alignment
        • ret2text
        • ret2syscall
        • ret2libc
        • ret2csu
        • BROP
        • SROP
        • Stack Pivot
      • ptmalloc
        • chunks
        • malloc() and free()
        • bins
        • tcache
      • UAF
      • Race Conditions
        • TOCTTOU
        • Dirty Cow
        • Meltdown
        • Spectre
      • Kernel
      • Appendix: Tools
        • socat
        • LibcSearcher-ng
        • OneGadget
    • Windows Exploitation
      • Classic
      • SEH
      • Egghunting
      • Unicode
      • Shellcoding
      • ROP
      • Appendix: Tools
        • ImmunityDbg
        • Mona.py
    • Fuzzing
      • AFL++
        • Quickstart
        • Instrumentation
        • ASAN
        • Code Coverage
        • Dictionary
        • Parallelization
        • Partial Instrumentation
        • QEMU Mode
        • afl-libprotobuf-mutator
      • WinAFL
      • Fuzzilli
  • Reverse
    • Bytecode
      • Python Bytecode
    • 👑Z3 solver
    • angr
      • angr Template
Powered by GitBook
On this page
  • Progress
  • [H-1] Users Can Form Malicious Requests to Steal Tokens From Oracles
  • Description
  • Recommendations
  • Resolution
  • [H-2] Malicious Users Can DOS/Hijack Requests From Chainlinked Contracts
  • Description
  • Recommendations
  • Resolution
  • [M-1] Oracles Can Claim Token Payments Without Processing the Request Callback
  • Description
  • Recommendations
  • Resolution
  • [M-2] Oracles’ internalId Can Be Duplicated, Leading to Unrecoverable Link Tokens
  • Description
  • Recommendations
  • Resolution

Was this helpful?

  1. Web3 Security Research
  2. Secureum
  3. Epoch 0
  4. Slot 7: Audit Findings 101

Chainlink - Sigma Prime

PreviousUniswap V3 - Trail of BitsNextOpyn Gamma - OpenZeppelin

Last updated 2 years ago

Was this helpful?

Progress

  • [x] [H-1] Users Can Form Malicious Requests to Steal Tokens From Oracles

  • [x] [H-2] Malicious Users Can DOS/Hijack Requests From Chainlinked Contracts → Not fully understood

  • [x] [M-1] Oracles Can Claim Token Payments Without Processing the Request Callback

  • [x] [M-2] Oracles’ internalId Can Be Duplicated, Leading to Unrecoverable Link Tokens

[H-1] Users Can Form Malicious Requests to Steal Tokens From Oracles

Description

Malicious users can steal tokens from Oracles by crafting and submitting specific requests.

When the owner of the Oracle fulfils a request, it performs an external call on line [118] which is intended to supply the off-chain data to the calling contract. The current implementation is such that a user can manufacture any arbitrary address that the Oracle will call when fulfilling a request, along with any function signature and initial parameter. Thus a user can craft a malicious request to the Link token contract, which when fulfilled, will transfer Link tokens from the Oracle to the attacker.

To detail this further, the call on line [118] is:

return callback.addr.call(callback.functionId, callback.externalId, _data);

A malicious user can create a request, which sets callback.addr to the address of the Link token contract address. They can set callback.functionId to the function signature of transfer(address,uint) and they can set callback.externalId to be a beneficiary address of their choosing. These variables are set when creating a request. The request’s data can be set to ask for a specific value (which is less than or equal to the available Link token balance of the Oracle, i.e. the current price of ether in wei). If an Oracle fulfils such a request and calls fulfillData() (line [101]) with _data being a value, i.e. 200e18 (and the Oracle has more than 200 Link tokens), the call on line [118] will send these tokens to the attacker’s beneficiary address.

An example of this attack is given in the tests that accompany this report, specifically test test_attack_can_steal_oracle_tokens.

Note: This attack is not localized to just Link tokens but to all contracts and functions that do not require more than two parameters. See LNK-02 for a further example.

Recommendations

There are a number of ways to address this issue, some more restrictive (in platform functionality) than others. The least restrictive is to blacklist addresses that callback.addr can take. For example, adding a require statement that ensures callback.addr is not the Link token address would be one approach. Although this resolves the immediate issue, it is typically dangerous to allow external users to set arbitrary addresses and function calls for a low level call as LNK-02 illustrates.

A more restrictive approach would be to only allow callback addresses from the contracts that created the request. This solution would also address LNK-02, LNK-07, and LNK-06. This however may be too restrictive for the purposes of the Chainlink platform.

Resolution

The callback address is now restricted from being the LINK address.

[H-2] Malicious Users Can DOS/Hijack Requests From Chainlinked Contracts

Description

Malicious users can hijack or perform Denial of Service (DOS) attacks on requests of Chainlinked contracts by replicating or front-running [2] legitimate requests.

The Chainlinked(Chainlinked.sol) contract contains the checkChainlinkFulfillment() modifier on line [145]. This modifier is demonstrated in the examples that come with the repository. In these examples this modifier is used within the functions which contracts implement that will be called by the Oracle when fulfilling requests. It requires that the caller of the function be the Oracle that corresponds to the request that is being fulfilled. Thus, requests from Chainlinked contracts are expected to only be fulfilled by the Oracle that they have requested. However, because a request can specify an arbitrary callback address, a malicious user can also place a request where the callback address is a target Chainlinked contract. If this malicious request gets fulfilled first (which can ask for incorrect or malicious results), the Oracle will call the legitimate contract and fulfil it with incorrect or malicious results. Because the known requests of a Chainlinked contract gets deleted (see line [147]), the legitimate request will fail.

It could be such that the Oracle fulfils requests in the order in which they are received. In such cases, the malicious user could simply front-run the requests to be higher in the queue.

We further highlight this issue with a trivial example. Consider a simple contract that is using Chainlink to estimate the price of Ether relative to a random token, which users then purchase based off this price. A malicious user could front-run the price request, putting their own request in with a malicious price source that is significantly lower than the actual price. The callback address of the malicious request would be the simple contract, and once fulfilled, would set the price of the simple contract to the malicious one given in the source.

An example of this attack is given in the test: test_attack_can_hijack_request that accompanies this report.

Recommendations

This issue is related to LNK-01, LNK-07, and LNK-06 in that it arises due to the fact that any request can specify its own arbitrary callback address. A restrictive solution would be the same as given in LNK-01, where callback addresses are localised to the requester themselves.

A less restrictive approach may be to include msg.sender in the callbacks mapping in Oracle.sol. Then, when fulfilling the request, the Oracle could send the msg.sender as an extra parameter. The checkChainlinkFulfillment() modifier can then accept or reject the fulfilment based on the original requester, preventing malicious requests from being fulfilled.

Resolution

The internalId within an Oracle has been modified to requestId which is a Keccak hash of the sender with the sender’s nonce. This same id is used within the Chainlinked contracts which is required to fulfil a request. Thus a malicious user can no longer hijack requests, as doing so would require the malicious request to be sent from the Chainlinked contract in order to generate an equivalent requestId.

[M-1] Oracles Can Claim Token Payments Without Processing the Request Callback

Description

An Oracle can “fulfil” a request without updating state or performing useful calls to the requester. This is due to the lack of gas stipend in the external call made on line [118].

This means an Oracle when submitting a fulfilment request can choose a gas amount which is only enough to perform the operations of changing its own state (that is, lines [110] through [114] and approx 52000 gas) and leave little for the external call (the delete on line [113] provides a gas refund meaning some gas will be left for the call). In such a scenario, the external call will fail, however the current transaction will pass, which allows Oracles to withdraw the tokens for the given request.

See the test test_attack_oracle_fulfill_no_callback for an example.

It should be noted, that even if the Oracle is assumed to not be malicious, it could still be possible that estimateGas may incorrectly determine the gas to be sent in the external call. Thus an Oracle can mistakenly be paid without fulfilling the request and as the callbacks mapping is deleted, cannot resend the request.

If an Oracle, blindly follows estimateGas, then this leaves an Oracle vulnerable to malicious requests which consume large amounts of gas, such as creating Gas Tokens [3].

Recommendations

One solution would be to require Oracles to dedicate at least some fixed amount of gas for updating the callback contract. This amount is dependent on how much state/operations are expected for implementations of such callback functions in the Chainlink platform.

There are a number of ways this could be implemented in the current code. One such way would be to implement a lower bound on the gas required to send for a callback. This could be done by adding a require statement that ensures the Oracle has dedicated at least some constant (here gasConstant) amount of gas for the callback contract. For example, adding the following just above line [118]:

require (gasleft () >= gasConstant);

Alternatively, an upper-bound on gas sent could be set by specifying a fixed amount in the external call itself. This solution would also prevent malicious callback requests from consuming large amounts of gas.

Resolution

A minimum gas limit of 400000 was introduced. This forces Oracles to supply at least 400000 gas when fulfilling a request. For malicious contracts trying to exploit excess Oracle gas, it is up to the Oracle to decide whether or not to pay for any extra gas beyond the 400000, which they can do when performing the transaction.

[M-2] Oracles’ internalId Can Be Duplicated, Leading to Unrecoverable Link Tokens

Description

The internalId is constructed from the keccak hash of msg.sender and _externalId (which is an arbitrary value sent by the caller). Although the Chainlinked contracts increment this value, it is possible for contracts to implement their own versions or call the Oracle directly (via the Link token). In such cases, a repeated _externalId from a contract/address will lead to a duplication of internalId in the Oracle contract (one example would be an implementation that accidentally sends 0 as the externalId many times, or repeats an id).

In such cases, the Link tokens that were sent in the previous request (of the same internalId) become unrecoverable as the callbacks mapping entry gets overridden. This means a user cannot cancel the original request, nor can the Oracle fulfil the original request.

As the withdraw() function can only withdraw withdrawableWei amount of tokens, the original tokens sent to the contract are also non-withdrawable.

Please refer to the test_duplicate_id_lost_tokens test that accompanies this report for an exploitation example.

Recommendations

This vulnerability can be mitigated by ensuring that an internalId does not exist before entering it into the callbacks mapping. More specifically, adding a require after line [76] which ensures that the internalId is not currently in use, will prevent overwriting the callbacks mapping.

Alternatively, a nonce could be introduced in the generation of internalId, however this would require modifying the logic of the cancel() function to accommodate duplicate externalId entries.

Resolution

A require statement has been added on line [86] which ensures there is no current entry in the callbacks mapping, preventing duplication.

✅
✅
✅
✅
public-audits/review.pdf at master · sigp/public-auditsGitHub
Logo