-
Notifications
You must be signed in to change notification settings - Fork 413
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
compilationTarget not check will cause security dangerous #1071
Comments
I tried to replicate the issue, but couldn't make it, maybe I followed the wrong steps. Can you please provide more details? |
ok.
and then, compile and deploy the MockToken contract first: after, deploy the TransparentProxy contract with the pre MockToken as the implement logic. Finally, you can verify MockToken contract use proxy address BBB because its source file includes ProxyAdmin.sol and ProxyAdmin.sol includes TransparentProxy source file. I think you compared all the bytecodes in compile result not the exactly MockToken bytecodes. such as: File: Abc.sol you can success verified when you try to use File Abc.sol to verify both contract A and contract B. And you can verify contract A with Abc.sol for B's address. (This is the issue). |
Before actually trying this I should say that Sourcify doesn't support proxies. You cannot use the MockToken source code to verify the proxy contract and vice versa. Or in other words, the intended behavior is that: you can verify the proxy contract only by using the proxy source code, and you can verify the MockToken contract only by using the MockToken source code. |
Yes, you are right. However, the reality is that it has mistakenly provided support. |
Sorry but I'm still having problems replicating the vulnerability, I hope you can understand :) This is what I did:
I think I'm doing something wrong, proably it's the contract I'm using. Can you please provide an environment in which I can test the problem? Thanks again for the support. |
the source of the proxy is the same source with MockToken.sol. is it? |
and which proxy do you use? is it the TransparentProxy in the proxyAdmin? |
and have you see this? such as: File: Abc.sol you can success verified when you try to use File Abc.sol to verify both contract A and contract B. And you can verify contract A with Abc.sol for B's address. (This is the issue). |
I can give you my screen snap about it, please wait 5 minutes. |
yes
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
contract TransparentUpgradeableProxy is ERC1967Proxy {
// implementation
maybe that's the part I skipped because I didn't get it |
This is my test code: I think the reason is same json file contains both proxy and mockDemo code in it: this is my new demo source:
and this is the explorer URL, the explorer display info was come from sourcify api. Thanks. please help ~~~ |
Thanks a lot for the detailed description. I'm looking at it 🙏 |
ok @lolieatapple I finally replicated it! We are on it |
Ok, Great! Thanks!~~ |
* fix missing check for address/chainId
@lolieatapple Fantastic find, but I see that your browser only takes the contract name part of sourcify's compile target. I am concerned that this may lead to ambiguity, take a look at this issue. |
I tried again the process on staging.sourcify.dev and it seems solved. (The output is not clear but the proxy contract files are not being replcaced by the Mock contract sources) |
compilationTarget not check will cause security dangerous.
My contract contains multiple files, one of which can pass verification but is not a compilationTarget. It disguises its code and poses a risk that hackers could use an upgradable contract to mimic an un-upgradable one, leading to security risks.
View in Huly HI-424
The text was updated successfully, but these errors were encountered: