SunWeb3Sec/DeFiHackLabs

[IMPROVEMENT IDEAS] Dealing with implementation behind proxy contract i.e. deploy, upgrade, admin etc.

viper7882 opened this issue · 2 comments

Hi,

Thank you for the fantastic and comprehensive guidance over the details of Defi Hacking for good.

As captured in the title, I would like to propose if you could consider adding topics related to proxy contract.

The rationale of the proposal to include proxy contract is due to recently, there has been increasing popularity to deploy proxy contract as well as some reported incidents on upgraded implementation contract been exploited. There are quite a number of vulnerabilities could be introduced by the flow of proxy contract nonetheless including deployment, access control, upgradeability, ABI exposure, interface visibility in implementation contract etc.

For instant, one issue that I recently encountered to deal with proxied contract is to manually compare the ABI of proxy contract + contract code of proxy contract + ABI of implementation contract in order to have a complete view of ABI.

Proxy ABI->Solidity:

interface MyInterface {
    event AdminChanged(address previousAdmin, address newAdmin);
    event BeaconUpgraded(address indexed beacon);
    event ImplementationChanged(
        uint256 indexed timestamp,
        address newImplementationAddress
    );
    event Upgraded(address indexed implementation);

    fallback() external payable;

    function changeProxyAdmin(address _newAdmin) external;

    function getProxyAdmin() external view returns (address);

    function implementation() external view returns (address);

    function upgradeTo(address _newImplementation) external;

    receive() external payable;
}

Function inside (snippet) proxy contract:

    /**
     * @dev Transfers ownership of the contract to a new account (`newOwner`).
     * Can only be called by the current owner.
     */
    function transferOwnership(address newOwner) public virtual onlyOwner {
        require(newOwner != address(0), "Ownable: new owner is the zero address");
        _setOwner(newOwner);
    }

    function _setOwner(address newOwner) private {
        address oldOwner = _owner;
        _owner = newOwner;
        emit OwnershipTransferred(oldOwner, newOwner);
    }

(snippet) ABI of implementation contract:

function transferOwnership(address newOwner) external;

How DeFi developer going to find out the true interface of transferOwnership in this case? To my best knowledge, there is no tool to help extracting ABI of proxy + function within proxy + ABI of implemetation contract. Please feel free to share with us in case you know elsewise.

With your in depth knowledge and experiences in DeFi, I trust by sharing topics mentioned above will further improve security of DeFi as you've envisioned. I sincerely hope you would consider adding proxy contract topics in the near future as well as add related tests into DeFiHackLabs.

Thank you for your attention.

Many proxy-related vulnerabilities are included in the proxy security website https://proxies.yacademy.dev but if there are missing vulnerabilities you can submit a PR at https://github.com/YAcademy-Residents/Proxies-website

Cool. Let me close this for now