-
Notifications
You must be signed in to change notification settings - Fork 7
0x52 - Merkle leaf values for _clubDivsMerkleRoot are 64 bytes before hashing which can lead to merkle tree collisions #300
Comments
Escalate for 10 USDC I encountered the same issue, and I will provide my analysis on why this is not an issue in the current codebase, not even to classify as a medium. The problem described is that the concatenation (which will be of 64 bytes long, if keccak256 is used) of 2 internal nodes of a merkle tree could collide with leaf values that also are 64 bytes long. For example: Leaf Value (64 bytes), ignore the
Internal Node 1: Internal Node 2: There we have a collision of a leaf value with the concatenation of the hash values of 2 sorted internal nodes. In the current codebase, the probability of this to happen is negligible. The leaf value is computed as the concatenation of Then, the maximum value the leaf can have is (again the
For a potential collision to happen, the concatenation of 2 internal nodes (which are keccak256 values) must be equal or smaller than the above number. Due to the inequality (equal or smaller) we are only interested in the internal node that will end-up on the left side. The hash value of the left-side internal node will need to be smaller than:
Which has 55 leading zeros. The lowest hash found in the bitcoin network has 23 leading zeros reference. Please keep in mind that OZ contracts are too general and that's why they put the warning, not to mention that the warning is a "should" not a "must" since the exploitation of this phenomenon will depend highly on the contracts which uses their MerkleProof library. If the values that make up the leaf were to be controllable by the users, I would agree this is a medium or even a high vulnerability, but the leaf is made up of values, PD: I would argue that issues reported based on warnings written in general-purpose libraries, should be accompanied with proof of concepts (coded or not) on how can be exploited in the codebase, even if it has some hypotheticals in the case of mediums, but not too hypothetical like producing a hash value with 55 leading zeros. |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Escalate for 10 USDC, As per my report of the issue: For the issue to be valid there only needs to be a very specific value of The specific value which the clubId should be equal to is: The owner of the contract has the power to mint arbitrary values (nowhere it is stated that it would be an auto-incremented id): So the Given that the vulnerability is only exploitable if the team decides to open the mint to the public in the future or if the owner account is compromised, the severity can be lowered. However the reasons for which the sponsor found this issue interesting and worth to fix still hold. |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Escalate for 10 USDC I totally agree with SergeKireev, I missed that clubID is not incremented 1 by 1 but controlled by the protocol owner. But I think the severity is still low / informational since this is not exploitable unless owner makes a mistake. |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Based on the escalation and other duplicate report, can be a valid medium, severity is not high |
Escalate for 10 USDC. I disagree with the downgrade to medium, even though I had originally reported this issue with a medium severity (see my report on 209). The sponsor considered realistic the scenario where the user can control the tokenId value, so much so that stated that after audit they will explicitly prevent it that case (see the sponsor comment on report 179). Before the sponsor acknowledgment, as I said on my report, the exploitability was theoretical, therefore a medium severity was adequate. Basically, it violated the "attack path is possible with reasonable assumptions that mimic on-chain conditions" requirement from the high severity definition here. However, post-acknowledgment I strongly believe this requirement is now satisfied. |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Escalation accepted Valid medium |
|
0x52
high
Merkle leaf values for _clubDivsMerkleRoot are 64 bytes before hashing which can lead to merkle tree collisions
Summary
FootiumAcademy hashes 64 bytes when calculating leaf allowing it to collide with the internal nodes of the merkle tree.
Vulnerability Detail
MerkleProofUpgradeable.sol puts the following warning at the beginning of the contract:
FootiumAcademy.sol#L235-L240
This is problematic because FootiumAcademy uses clubId and divisionTier as the base of the leaf, which are both uint256 (32 bytes each for 64 bytes total). This allows collision between leaves and internal nodes. These collisions could allow users to mint to divisions that otherwise would be impossible.
Impact
Users can abuse merkle tree collisions to mint in non-existent divisions and bypass minting fees
Code Snippet
FootiumAcademy.sol#L228-L272
Tool used
Manual Review
Recommendation
Use a combination of variables that doesn't sum to 64 bytes
The text was updated successfully, but these errors were encountered: