Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(protocol): verify target address is a contract address in DelegateOwner #17328

Merged
merged 1 commit into from
May 25, 2024
Merged

fix(protocol): verify target address is a contract address in DelegateOwner #17328

merged 1 commit into from
May 25, 2024

Conversation

dantaik
Copy link
Contributor

@dantaik dantaik commented May 25, 2024

Fix bug report from OZ: L-16 Diff-Audit: ‘DelegateOwner’ Does Not Check for Contract Existence

The DelegateOwner contract is intended to be deployed on L2 and set as the owner of all the other L2 contracts. The DAO on L1 can then call it through the Bridge contract to execute arbitrary calls in its name. This could for example be used by the DAO to execute privileged functions on L2 from the L1. Calls from the DelegateOwner can be either low-level calls or delegate calls based on an input parameter.

However, low-level calls in Solidity do not check for contract existence. Such calls could thus be considered successful if the contract called has not been deployed yet, resulting in silent failures.

Consider adding a validation of the contract's existence if the given call.txdata is non-empty.

@dantaik dantaik requested review from adaki2004 and Brechtpd May 25, 2024 04:31
@dantaik dantaik marked this pull request as ready for review May 25, 2024 04:31
@openzeppelin-code OpenZeppelin Code
Copy link

fix(protocol): verify target address is a contract address in DelegateOwner

Generated at commit: 39505e5caedd74ae5291711c3708c10c8db2b5e4

🚨 Report Summary

Severity Level Results
Contracts Critical
High
Medium
Low
Note
Total		 2
2
0
8
42
54
Dependencies Critical
High
Medium
Low
Note
Total		 0
0
0
0
0
0

For more details view the full report in OpenZeppelin Code Inspector

@dantaik dantaik enabled auto-merge May 25, 2024 05:34
@dantaik dantaik added this pull request to the merge queue May 25, 2024
Merged via the queue into main with commit 0c3c0e1 May 25, 2024
4 checks passed
@dantaik dantaik deleted the delegate_owner_improvement branch May 25, 2024 08:38
@taiko-kitty taiko-kitty mentioned this pull request May 25, 2024
Merged
@taiko-kitty taiko-kitty mentioned this pull request Jun 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adaki2004 adaki2004 adaki2004 approved these changes

@Brechtpd Brechtpd Brechtpd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dantaik @Brechtpd @adaki2004