Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Superfluid.sol allows for composable Superfluid agreements in a single transaction. I have no idea what this means (lolz). The important thing to note is that the main contract and the agreements have a concept of context (ctx).

The ctx is a serialized state for through the entire transaction for different agreement calls. This context includes information about the original msg.sender even.

The convention of callAgreement is to use a placeholder ctx so that Solidity can read it directly from the argument ctx that should be there.

The flow of operations is like so for verifying:

1. Call deleteAnyFlowBad.
2. Call callAgreement. This creates the ctx and puts a stamp on it.
3. Call createFlow to verify that the calling host contract is authorized to do so.
4. Call authorizeTokenAccess to hand over the ctx and deserialize the original call.

The vulnerability occurs in the parsing of the ctx structure within the function deleteAnyFlowBad. After everything is merged into a single byte array. The expected empty ctx can contain spoofed data, causing a MAJOR problem to occur. Since the abi decoder ignores the legit ctx, we have now tricked the code into parsing the wrong ctx.

With the ability to craft an arbitrary ctx, the calldata can be crafted to impersonate other users. This can be used to create IDA indexes on behalf of other users to steal tokens in their possession.

The contracts had been previous audits by several users and Peckshield. They have decided to add a bug bounty program and get more audits in the future. Overall, a super interesting bug in extremely complicated code.