Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Security Policy>Discussion>Return datasize unchecked
GeneralOverview
DiscussionReturn datasize uncheckedBypassing Security Policies
Threat ModelWhat are threat models?ERC7484SecurityPolicy.solSecurityPolicyManagerPlugin.sol
Audit ResultsSummary

Return datasize unchecked

In several snippets of YUL, external functions are called and data is loaded from the return data, but there are no checks on the length of the return data. As a consequence, irrelevant data is loaded into variables / returned. This mostly occurs when returning the module address.

function checkSetupAndEnableModule(
	address, //setupContract
	bytes calldata //setupData
) external override returns (address) {

	...
	// copy the returndata to ptr
	let size := returndatasize()
	returndatacopy(ptr, 0, size)

	switch success
	case 0x1 {
		moduleInstallationSuccess := mload(ptr)
		module := mload(add(ptr, 0x60))
	}
	case 0x0 {
		revert(ptr, size)
	}
	...
}

In the example above, the call to execTransactionFromModuleReturnData is guaranteed to return a module address; however, the source of that module address has the same return issue when setting up the module. However, we do not consider this to be a security issue because all modules are attested to be created by the Biconomy team and therefore should return the correct values.

This issue has been acknowledged by Biconomy, and a fix was implemented in commit a2576d6b.

Zellic © 2024Back to top ↑