8000 [SC] Unintended gas exhaustion attack by hyunsooda · Pull Request #1445 · klaytn/klaytn · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
This repository was archived by the owner on Aug 19, 2024. It is now read-only.

[SC] Unintended gas exhaustion attack #1445

Merged
merged 1 commit into from
Aug 31, 2022
Merged

[SC] Unintended gas exhaustion attack #1445

merged 1 commit into from
Aug 31, 2022

Conversation

hyunsooda
Copy link
Contributor

Proposed changes

As the handle of value transfer transaction is created by operators on parent/child chains, the contract call must not execute any other unintended code. The safeTransferFrom() function calls onERC721Received() if the _to parameter is a contract address which can be attacker's contract. This change replaced safeTransferFrom() with transferFrom().

Types of changes

Please put an x in the boxes related to your change.

  • Bugfix
  • New feature or enhancement
  • Others

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

  • I have read the CONTRIBUTING GUIDELINES doc
  • I have signed the CLA
  • Lint and unit tests pass locally with my changes ($ make test)
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • Any dependent changes have been merged and published in downstream modules

Related issues

  • Please leave the issue numbers or links related to this PR here.

Further comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...

@hyunsooda
Copy link
Contributor Author

cc. @2dvorak, @hqjang-pepper, @nohkwak, @ian0371

@hyunsooda hyunsooda mentioned this pull request Jun 20, 2022
Closed
9 tasks
hqjang-pepper
hqjang-pepper reviewed Jun 20, 2022
View reviewed changes
contracts/bridge/BridgeTransferERC721.sol
@@ -66,7 +66,7 @@ contract BridgeTransferERC721 is BridgeTokens, IERC721BridgeReceiver, BridgeTran
if (modeMintBurn) {
require(ERC721MetadataMintable(_tokenAddress).mintWithTokenURI(_to, _tokenId, _tokenURI), "mint failed");
} else {
IERC721(_tokenAddress).safeTransferFrom(address(this), _to, _tokenId);
IERC721(_tokenAddress).transferFrom(address(this), _to, _tokenId);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If your change point is applied, onERC721Received() won't be executed even for a normal contract. So I'm concerned that there will be a side effect. Because if we simply use transferfrom(), then we can't check whether to address can receive token or not.
Is it intended?

Copy link
Contributor Author
@hyunsooda hyunsooda Jun 20, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've benn aware that's why the onERC721Received() stands for further treatment when a token receives. This further treatment is not available in the receiver address is not a token contract address. If the transaction signer is the sender of that transaction, we do not need to make this change. However, the problem of the current value transfer design is that the handle transaction of value transfer is signed by the operator on each chain. So, it seems inevitable change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay. There's another way to confirm whether we received ERC721 well or not,
But we never know which contract is malicious or not.
So this can be the proper solution

@hyunsooda
Copy link
Contributor Author

@hyunsooda, TODO: Doc update

@henry-will henry-will added this to the v1.9.2 milestone Aug 24, 2022
@hyunsooda hyunsooda merged commit 442f01f into klaytn:dev Aug 31, 2022
@hyunsooda hyunsooda mentioned this pull request Aug 31, 2022
Closed
7 tasks
@hyunsooda
Copy link
Contributor Author

Added doc: klaytn/klaytn-docs#474

@dcground dcground modified the milestones: v1.9.2, v1.10.0 (Kore) Sep 2, 2022
This was referenced Nov 8, 2022
Closed
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@2dvorak 2dvorak 2dvorak approved these changes

@hqjang-pepper hqjang-pepper hqjang-pepper approved these changes

@kjhman21 kjhman21 Awaiting requested review from kjhman21

@KimKyungup KimKyungup Awaiting requested review from KimKyungup

@aidan-kwon aidan-kwon Awaiting requested review from aidan-kwon

@blukat29 blukat29 Awaiting requested review from blukat29 blukat29 is a code owner

@ian0371 ian0371 Awaiting requested review from ian0371 ian0371 is a code owner

@henry-will henry-will Awaiting requested review from henry-will

Assignees

@hyunsooda hyunsooda

Labels
None yet
Projects
None yet
Milestone
v1.10.0 (Kore)
Development

Successfully merging this pull request may close these issues.
5 participants
@hyunsooda @2dvorak @hqjang-pepper @dcground @henry-will
0