{"id":36,"date":"2021-11-06T19:25:42","date_gmt":"2021-11-06T18:25:42","guid":{"rendered":"https:\/\/abch-330809.firebaseapp.com\/blog\/?p=36"},"modified":"2022-01-26T22:21:05","modified_gmt":"2022-01-26T21:21:05","slug":"possible-vulnerability-in-gsn-implementation","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/possible-vulnerability-in-gsn-implementation\/","title":{"rendered":"Possible vulnerability in GSN implementation"},"content":{"rendered":"

The Gas Station Network (<\/span>GSN<\/span><\/a>) helps to execute gas-free transactions, but an incorrect implementation of its functionalities could make any project extremely exploitable. We describe an issue we addressed at Ackee Blockchain<\/a> during a security assessment of one of our clients.<\/span><\/p>\n

<\/p>\n

If we look at GSN documentation a GSN compatible project needs to replace all occurrences of <\/span>msg.sender<\/code>\u00a0with\u00a0<\/span>_msgSender<\/code>\u00a0function.<\/span><\/p>\n

https:\/\/docs.opengsn.org\/contracts\/#receiving-a-relayed-call<\/span><\/a><\/p>\n

This step is generating a possible risk because with Solidity structure (<\/span>msg.sender<\/code>) every developer can rely on its value. But it’s replaced by a custom function (_msgsender()<\/code>) with an arbitrary body (depends on implementation) where we can’t say the same.<\/span><\/p>\n

    <span class="hljs-function"><span class="hljs-keyword">function<\/span> <span class="hljs-title">_msgSender<\/span>() <span class="hljs-title"><span class="hljs-keyword">internal<\/span><\/span> <span class="hljs-title"><span class="hljs-keyword">override<\/span><\/span> <span class="hljs-title"><span class="hljs-keyword">virtual<\/span><\/span> <span class="hljs-title"><span class="hljs-keyword">view<\/span><\/span> <span class="hljs-title"><span class="hljs-keyword">returns<\/span><\/span> (<span class="hljs-params"><span class="hljs-keyword">address<\/span> ret<\/span>) <\/span>{\n        <span class="hljs-keyword">if<\/span> (<span class="hljs-built_in">msg<\/span>.<span class="hljs-built_in">data<\/span>.<span class="hljs-built_in">length<\/span> >= <span class="hljs-number">20<\/span> && isTrustedForwarder(<span class="hljs-built_in">msg<\/span>.<span class="hljs-built_in">sender<\/span>)) {\n            <span class="hljs-comment">\/\/ At this point we know that the sender is a trusted forwarder,<\/span>\n            <span class="hljs-comment">\/\/ so we trust that the last bytes of msg.data are the verified sender address.<\/span>\n            <span class="hljs-comment">\/\/ extract sender address from the end of msg.data<\/span>\n            <span class="hljs-keyword">assembly<\/span> {\n                ret := <span class="hljs-built_in">shr<\/span>(<span class="hljs-number">96<\/span>,<span class="hljs-built_in">calldataload<\/span>(<span class="hljs-built_in">sub<\/span>(<span class="hljs-built_in">calldatasize<\/span>(),<span class="hljs-number">20<\/span>)))\n            }\n        } <span class="hljs-keyword">else<\/span> {\n            ret = <span class="hljs-built_in">msg<\/span>.<span class="hljs-built_in">sender<\/span>;\n        }\n    }\n<\/code><\/pre>\n
https:\/\/github.com\/opengsn\/gsn\/blob\/f9d5b4a3239f226a7d70d2be3f230ccb21d50763\/packages\/contracts\/src\/BaseRelayRecipient.sol<\/span><\/a><\/p>\n
As can be seen on code snippet, if:<\/span><\/p>\n