Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

State Variable Shadowing #258

Closed
code423n4 opened this issue Jul 8, 2022 · 1 comment
Closed

State Variable Shadowing #258

code423n4 opened this issue Jul 8, 2022 · 1 comment
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/jbx-protocol/juice-contracts-v2/blob/main/contracts/system_tests/TestAllowance.sol#L16
https://github.com/jbx-protocol/juice-contracts-v2/blob/main/contracts/system_tests/helpers/TestBaseWorkflow.sol#L52

Vulnerability details

Impact

Check: shadowing-state
Severity: High
Confidence: High

It is possible to use the same variable twice in Solidity, but it can lead to unintended side effects.The TestAllowance.sol contract inherits from TesTBaseWorkflow.sol. In the TestAllowance.sol contract, address _beneficiary; will shadow state variable in the TesTBaseWorkflow.sol contract. This will lead to major complications since the TesTBaseWorkflow.sol contract initializes the address beneficiary as follows: address private _beneficiary = address(69420); Overall, this can lead to the variable to not be assigned or to simply not work as intended.

Proof of Concept

--TestAllowance._beneficiary (contracts/system_tests/TestAllowance.sol#16) shadows:
- TestBaseWorkflow._beneficiary (contracts/system_tests/helpers/TestBaseWorkflow.sol#52)

Example of vulnerability:
contract BaseContract{

    address owner;
    modifier isOwner(){
    require(owner == msg.sender);
    _;
} }

contract DerivedContract is BaseContract{

address owner;
constructor(){
    owner = msg.sender;
}

function withdraw() isOwner() external{
    msg.sender.transfer(this.balance);
} }

**owner of BaseContract is never assigned and the modifier isOwner does not work.

reference:
https://swcregistry.io/docs/SWC-119
ethereum/solidity#2563

Tools Used

Hardhat,remix

Recommended Mitigation Steps

Remove the state variable shadowing.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jul 8, 2022
code423n4 added a commit that referenced this issue Jul 8, 2022
@code423n4
jayfromthe13th issue #258
10b1104
@mejango
Copy link
Collaborator

mejango commented Jul 8, 2022

test contracts in scope? hm

@mejango mejango added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Jul 12, 2022
@jack-the-pug jack-the-pug added the invalid This doesn't seem right label Jul 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mejango @code423n4 @jack-the-pug