Skip to content

Latest commit

 

History

History
45 lines (27 loc) · 2.99 KB

044.md

File metadata and controls

45 lines (27 loc) · 2.99 KB
Raw

Bumpy Ginger Ram

Medium

Lack of Function to Update signer Address in Case It Is Compromised

Description

in VVVVCTokenDistributor and VVVVCInvestmentLedger contracts, there's no Function For Admin To Update signer address in case if it gets Compromised. this will lead to two things:

  1. The VVV team will be unable to set a new replacement for the compromised signer and will be forced to deploy new VVVVCTokenDistributor and VVVVCInvestmentLedger contracts.

  2. Attacker Can Use signer private key to sign ClaimParams containing valid values, which will enable him to drain tokens stored in projectTokenProxyWallets by calling VVVVCTokenDistributor::claim() function. However, this attack is only feasible if:

    • The approvals granted to the VVVVCTokenDistributor contract have not been revoked.
    • The admin has not paused the claiming functionality of the VVVVCTokenDistributor contract.

Impact

  • Damage: High
  • Likelihood: Low/Medium (recently, many private keys have been compromised in the Web3 space)

Impact Details: attacker will be able to drain tokens from projectTokenProxyWallets by calling the claim() function with a valid signature and parameters. Additionally, the VVV team will be forced to deploy new VVVVCTokenDistributor and VVVVCInvestmentLedger contracts.

Proof of Concept

Attack Path:

  1. attacker finds the private key associated to signer in VVV’s servers (e.g., due to poor security practices or OpSec flaws).
  2. Using the compromised private key, attacker signs ClaimParams struct containing valid values, which will enable him to call claim() function to drain tokens from projectTokenProxyWallets.

POC:

  • Not Needed.

Recommended Mitigation

Implement the following function in both the VVVVCTokenDistributor and VVVVCInvestmentLedger contracts to enable the admin to update the signer address if it gets compromised:

+   function setSigner(address _signer) external onlyAuthorized {
+       signer = _signer;
+   }

also Refactor the claim() function implementation to allow users to claim tokens from a single projectTokenProxyWallet at a time. Additionally, introduce a delay mechanism between successive calls to the claim() function. This would mitigate the risk of an attacker repeatedly calling the function to drain all projectTokenProxyWallets and hopefully VVV Incident Response team will be able to detect it and act before that happens.