Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Initia>Threat Model>Module object.move
GeneralOverview
Findings
Critical (3)
High (12)
Medium (4)
Low (9)
Informational (3)
DiscussionGeneral DiscussionImprove AMM testsBridge executor minting powerCharge before using valuesEmpty allowed_publishers array allows every address to publishERC20Keeper with custom contractsSuggestions for additional security checksTable handle overflow leads to abort
Threat ModelWhat are threat models?
stdlibModule block.moveModule table.moveModule event.moveModule type_info.moveModules any.move and copyable_any.moveModule address.moveModule cosmos.moveModule multisig.moveModule object.moveModule transaction_context.moveModule debug.moveModule table_key.moveModule account.moveModule base64.moveModule hex.moveModule from_bcs.moveModule json.moveModule oracle.moveModule code.moveModule zapping.moveModule dex.moveModule reward.moveModule comparator.moveModule managed_coin.moveModules decimal128.move and decimal256.moveModule string_utils.move
Audit ResultsSummary
AppendixProof of concept: Reference safety verifier bypass

Module object.move

Function: address_to_object

This function can be used to get an instance of Object for a given type at a given address.

Inputs

  • Type T<key>

    • Validation: An object of type T must exist at the given address.

    • Impact: Type of the returned Object instance.

  • object: address

    • Validation: An object of type T must exist at the given address.

    • Impact: Address of the returned Object.

Function: is_object

This function can be used to test whether an address owns an Object.

Inputs

  • object: address

    • Validation: None required.

    • Impact: Address to test.

Function: create_object_address

This function can be used to derive the address of an object given the address of the creator and a bytes seed. Note that this function does not create the object, it only generates the address for an object generated from the given address and seed.

Inputs

  • source: address

    • Validation: None required.

    • Impact: Address of the creator of the object.

  • seed: vector<u8>

    • Validation: None required.

    • Impact: Seed used to derive the object address.

Function: create_user_derived_object_address

This function can be used to derive an object address obtained from the address of the creator and another address. Note that the derived address differs from the address returned by create_object_address, even if the latter is given and encoded address as a seed.

Inputs

  • source: address

    • Validation: None required.

    • Impact: Address of the creator of the object.

  • derive_from: address

    • Validation: None required.

    • Impact: Seed used to derive the object address.

Function: create_guid_object_address

This function can be used to derive an object address from the address of its creator and a sequence number. Note that this function uses a different suffix than create_object_address and create_user_derived_object_address, and therefore it is not possible to derive the same object address by encoding, for example, a particular byte array as a u64. We also note that this function is currently not used by the Initia standard library.

Inputs

  • source: address

    • Validation: None required.

    • Impact: Address of the creator of the object.

  • creation_num: u64

    • Validation: None required.

    • Impact: Sequence number used as seed to derive the object address.

Function: object_address

This function can be used to get the address of an Object.

Inputs

  • Type T<key>

    • Validation: None required.

    • Impact: Type associated with the object.

  • object: Object<T>

    • Validation: None required.

    • Impact: Object which address is returned.

Function: convert

This function can be used to convert an Object of a type into an Object of a different type, owned by the same address. Note that an object of the destination type must exist at the given address.

Inputs

  • Type X<key>

    • Validation: None required.

    • Impact: Source type.

  • Type Y<key>

    • Validation: An object of this type must exist at the address of the source object.

    • Impact: Destination type.

  • object: Object<X>

    • Validation: An object of the destination type must exist at the address of this source object.

    • Impact: Object to convert.

Function: create_named_object

This function can be used to create an object on behalf of a signer, with its address derived from a bytes seed (ref. create_object_address).

We note that the function can be used by any contract, and that although the documentation suggests that "named objects cannot be deleted", the function allows to specify can_delete = true. We did not identify an exploitable issue due to this behavior, which we attribute to an error in the documentation.

Inputs

  • creator: &signer

    • Validation: None required.

    • Impact: Owner of the object.

  • seed: vector<u8>

    • Validation: None required.

    • Impact: Seed used to derive the object address.

  • can_delete: bool

    • Validation: None required.

    • Impact: Determines whether the object is marked as deletable.

Function: create_user_derived_object

This function can be used to create an object on behalf of an address, with its address derived from the address of another object (ref. create_user_derived_object_address). Note that the function can only be called by friend modules, and that the DeriveRef required to invoke it can only be obtained from the ConstructorRef for the same object.

Inputs

  • creator_address: address

    • Validation: None required.

    • Impact: Owner of the object.

  • derive_ref: &DeriveRef

    • Validation: None required.

    • Impact: Seed used to derive the object address.

  • can_delete: bool

    • Validation: None required.

    • Impact: Determines whether the object is marked as deletable.

Function: create_object

This public function can be used to create an object owned by a given address, with a unique address (not controlled by the caller in any meaningful way).

Inputs

  • owner_address: address

    • Validation: None required.

    • Impact: Owner of the object.

  • can_delete: bool

    • Validation: None required.

    • Impact: Determines whether the object is marked as deletable.

Function: generate_delete_ref

This function can be used to create a DeleteRef, a capability that allows to remove an existing object.

Inputs

  • ref: &ConstructorRef

    • Validation: The object must have been created as deletable.

    • Impact: ConstructorRef identifying the object for which the DeleteRef capability will be created.

Function: generate_extend_ref

This function can be used to create an ExtendRef, a capability that allows to extend an existing object. The capability allows to generate a signer for the object, and thus to create more child objects on behalf of the object to be extended.

Inputs

  • ref: &ConstructorRef

    • Validation: None required.

    • Impact: ConstructorRef identifying the object for which the capability will be created.

Function: generate_transfer_ref

This function can be used to create a TransferRef, a capability that allows to transfer ownership of an object as well as to control whether the object can be transferred by its owner without using a TransferRef capability (controlling the allow_ungated_access flag).

Inputs

  • ref: &ConstructorRef

    • Validation: None required.

    • Impact: ConstructorRef identifying the object for which the capability will be created.

Function: generate_derive_ref

This function can be used to create a DeriveRef, a capability that allows to create an object at a deterministic address derived from the address of the creator and the address of the object referred to by the ConstructorRef. Note that there is no nonce, and thus for any given caller and ConstructorRef, only a single object address can be derived.

Inputs

  • ref: &ConstructorRef

    • Validation: None required.

    • Impact: ConstructorRef identifying the object for which the capability will be created.

Function: generate_signer

This special function can be used to create a signer instance for performing actions on behalf of the address referenced by the ConstructorRef.

Inputs

  • ref: &ConstructorRef

    • Validation: None required.

    • Impact: ConstructorRef identifying the object for which the signer will be created.

Function: delete

This function can be used to delete an object from global storage.

Inputs

  • ref: DeleteRef

    • Validation: Version of the DeleteRef must match the version of the global ObjectCore object.

    • Impact: Identifies the object to be deleted.

Function: generate_signer_for_extending

This function can be used to generate a signer from an ExtendRef.

Inputs

  • ref: &ExtendRef

    • Validation: Version of the ExtendRef must match the version of the global ObjectCore object.

    • Impact: Identifies the object for which the signer will be created.

Functions: enable_ungated_transfer, disable_ungated_transfer

This function can be used to enable or disable ungated transfer. If ungated transfer is enabled, an object can be transferred freely by its owner. When ungated transfer is disabled, transferring ownership of an object requires a corresponding TransferRef (or LinearTransferRef).

Inputs

  • ref: &TransferRef

    • Validation: Version of the TransferRef must match the version of the global ObjectCore object.

    • Impact: Identifies the object for which ungated transfer should be enabled/disabled.

Function: generate_linear_transfer_ref

This function can be used to generate a LinearTransferRef for an object, a one-time-use capability that can be used by the object owner to transfer the object.

Inputs

  • ref: &TransferRef

    • Validation: Version of the TransferRef must match the version of the global ObjectCore object

    • Impact: Identifies the object for which the LinearTransferRef will be created.

Function: transfer_with_ref

This function can be used by the owner of an object to transfer it to a different address, given a LinearTransferRef for the object.

Inputs

  • ref: LinearTransferRef

    • Validation: Version of the LinearTransferRef must match the version of the global ObjectCore object.

    • Impact: Identifies the object to be transferred.

  • to: address

    • Validation: None required.

    • Impact: Address of the new owner for the object.

Function: transfer_raw

This function can be used by the owner of an object to transfer it. Ungated transfer must be enabled for the object being transferred.

Inputs

  • owner: &signer

    • Validation: Must be the (possibly indirect) owner of the object.

    • Impact: Authorizes the transfer.

  • object: address

    • Validation: Must be owned by owner and have ungated transfer enabled.

    • Impact: Address of the object to be transferred.

  • to: address

    • Validation: None required.

    • Impact: Address of the new owner of the object.

Zellic © 2024Back to top ↑