Is it possible for someone to have permission to invoke the execute function as an attack #48
-
|
When PRBProxy contract owner appoint you can execute some function, I think it is possible that you can use an malicious target in |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Yep, this is possible, but it's just a natural consequence of the power of But besides that, the target can do whatever it wants to the proxy. That's by design. Also - if indeed the target was malicious, why would it take a detour and approve another malicious target? Why would it not peform the attack itself? Bottom line is - users just should be very careful what target contracts they interact with via PRBProxy. Just like they should be very careful what contracts they approve to spend their ERC-20 token allowances. |
Beta Was this translation helpful? Give feedback.
Yep, this is possible, but it's just a natural consequence of the power of
DELEGATECALL. You should note, however, that theexecutedoes not allow any target contract to change theowner:https://github.com/paulrberg/prb-proxy/blob/0cab8248a4c513fa86e4064c352cff054d54ff90/contracts/PRBProxy.sol#L91-L94
But besides that, the target can do whatever it wants to the proxy. That's by design.
Also - if indeed the target was malicious, why would it take a detour and approve another malicious target? Why would it not peform the attack itself?
Bottom line is - users just should be very careful what target contracts they interact with via PRBProxy. Just like they should be very careful what contrac…