Home - Coinspect Security

Superfluid

Total Losses

No Loss

Date

Network

polygon logo polygon

Categories

data validation

Step-by-step

  1. Craft a Context with a forged msg.sender
  2. Get it authorized via the host contract

Detailed Description

This attack relies on a problem in the serialization of the ctx in the Host contract. To understand this, we need to know that Superfluid.sol allows composing agreements from different Super Apps in a single transaction.

To mantain a state throught the different calls to different Supper Apps, this ctx is set by the Host contract.

Nevertheless, it was possible for the attacker to construct an initial ctx that impersonated any user.

The problem can be seen in the updateSubscription method, which uses the AgreementLibrary to authorizeTokenAccess.

Unfortunately, this method does not authorize much besides requiring that the call comes from a particular address.

The attacker can now send a crafted message that set’s anyone as the publisher.

Possible mitigations

  • The git blame of this fix is quite straightforward: the authorizeTokenAccess has to actually call the Host to make sure this context has been aproved by it.