Superfluid
Total Losses
No Loss
Date
Network
Categories
data validationStep-by-step
- Craft a
Context
with a forgedmsg.sender
- Get it authorized via the host contract
Detailed Description
This attack relies on a problem in the serialization of the ctx
in the Host
contract. To understand this, we need to know that Superfluid.sol
allows composing agreements
from different Super Apps
in a single transaction.
To mantain a state throught the different calls to different Supper Apps
, this ctx
is set by the Host
contract.
Nevertheless, it was possible for the attacker to construct an initial ctx
that impersonated any user.
The problem can be seen in the updateSubscription method, which uses the AgreementLibrary
to authorizeTokenAccess
.
Unfortunately, this method does not authorize much besides requiring that the call comes from a particular address.
The attacker can now send a crafted message that set’s anyone as the publisher
.
Possible mitigations
- The
git blame
of this fix is quite straightforward: theauthorizeTokenAccess
has to actually call theHost
to make sure this context has been aproved by it.