3. Bug Bounty On The ConsenSys And Whitelisted Multisigs

Bug Bounty On The ConsenSys And Whitelisted Multisigs

I've discovered an issue in Whitelisted Multisig wallet code that allows for something I would call a hidden owner attack.

The issue is contained to the "multiowned" contract and is caused by missing address duplicity check (necessity of which is implied in the addOwner function) in the constructor code.

First I will describe the attack and then delve into how it works.

The attack has three steps:

a) First we deploy the contract with an array of owners with one address duplicated, something like this:

["0xca35b7d915458ef540ade6068dfe2f44e8fa733c", "0x14723a09acff6d2a60dcdf7aa4aff308fddc160c", "0x14723a09acff6d2a60dcdf7aa4aff308fddc160c"]

b) Then we call removeOwner with the duplicated address as an argument: removeOwner("0x14723a09acff6d2a60dcdf7aa4aff308fddc160c")

After this call, isOwner("0x14723a09acff6d2a60dcdf7aa4aff308fddc160c") correctly returns false.

c) Now we remove an owner preceding the duplication:

removeOwner("0xca35b7d915458ef540ade6068dfe2f44e8fa733c")

isOwner("0xca35b7d915458ef540ade6068dfe2f44e8fa733c") now returns false, but isOwner("0x14723a09acff6d2a60dcdf7aa4aff308fddc160c") suddenly returns true again!

How did this happen?

When we called removeOwner with the duplicated address, it was correctly removed from m_ownerIndex array, but the second instance remained in the m_owners array. At this point, there is no entry in the m_ownerIndex array pointing to the index of the duplicated address, so isOwner returns false, but that changes when we remove the second address. After removal, reorganizeOwners function is called and the orginal place of the address being removed is taken by the dormant instance of the duplicated address.

Level of exploitability depends on the implementation of the UI for the wallet, because on closer examination of the contract's state, it is possible to detect something is not quite right after step b), but anybody relying on isOwner function, or m_ownerIndex array to check the ownership will be completely fooled.

One scenario in which this can be exploited is when the wallet is being transferred between owners, it is possible to convince user or users that they are sole owners of the wallet, when that's not the case.

Easiest fix is adding owner duplicity check to the constructor.

During the audit I also discovered couple efficiency issues that I plan to compile to a separate post.

/r/ethdev Thread
Previous
Next

Recently removed from /r/ethdev

I thought Getting into Web3 would be a piece of Cake Wallet for local devtesting... ? :) Creating a token with 0 decimal places? Monthly ''Who's hiring, and who's for hire'' June, 2018 A fair Ponzi scheme. I've made a cool looking DAPP with Metamask and web3 Second Bug Bounty for Status ICO Buyer Contract

More Random Comments

Don't play this game if you can't handle losing, even Casual I am so hyped right now Protesting Nike while wearing Nikes Peter Lloyd - Should adverts be BANNED if the ASA deem them SEXIST? I'm Tired of Being Shamed for being Liberal Nike cuts A$AP Bari I [F25] just "humiliated" my boyfriend's [M27] family friend [F25] in front of his family by inadvertently exposing her various white lies. Now they're mad at me? Want to get notification when my dryer shuts off What to do when your partner says "give me a very good explanation or ask to be forgiven for what you've done" which was argue about your needs? When should I (17M) start complimenting my girlfriend (16F) on her legs and overall body? Why do the lefty subs ban people over almost anything? Does anybody have the email for London's Child Services? MY MANAGER IS TRYING TO BULLY ME OUT OF MY JOB, WHAT SHOULD I DO?! PCPP BUILD LIST (First build) [RT!] Reincarnation manga and more