Git-Mirrors/blockchains-security-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/blockchains-security-toolkit.git synced 2025-08-18 02:50:28 -04:00
Code Issues Projects Releases Packages Wiki Activity

Update wormhole.md

Browse source
This commit is contained in:
bt3gl 2022-06-08 23:28:03 -07:00 committed by GitHub
parent 920ffa28bc
commit a9d5c4ccb2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 36 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

36
Top-Immunefi-Vulnerabilities/wormhole.md
View file

@ -3,3 +3,39 @@
<br> <br>
* [Immunefi post](https://medium.com/immunefi/wormhole-uninitialized-proxy-bugfix-review-90250c41a43a) * [Immunefi post](https://medium.com/immunefi/wormhole-uninitialized-proxy-bugfix-review-90250c41a43a)
<br>
### Intro to Proxies
* A smart contract upgrade can be simply summarized as: a change in the code at a specific address while preserving the storage state of previous code and the relationship of that address to other contracts.
* A proxy contract and delegate calls can only swap the implementation, not the state of the contract.
* In Ethereum, there are three major types of contract calls: regular CALL, STATICCALL, and DELEGATECALL.
* When contract A makes a CALL to contract B by calling foo(), the function execution relies on contract Bs storage, and the msg.sender is set to contract A.
* However, when the same call is made using DELEGATECALL, the function foo() would be called on contract B but in the context of contract A. This means that the logic of contract B would be used, but any state changes made by the function foo() would affect the storage of contract A. And also, msg.sender would point to the EOA who made the call in the first place.
<img width="875" alt="Screen Shot 2022-06-08 at 10 22 23 PM" src="https://user-images.githubusercontent.com/1130416/172770375-6b99ee39-ebd8-4dc1-b8a1-e7c76f6161f4.png">
<br>
* A delegatecall makes it possible to create upgradeable contracts using a proxy pattern.
<img width="919" alt="Screen Shot 2022-06-08 at 10 23 34 PM" src="https://user-images.githubusercontent.com/1130416/172770543-32f49773-0025-45ae-acb1-5c8032432e96.png">
<br>
* Making an upgrade in this case is quite simple, as we only need to change the stored implementation contract address in order to change its smart contract logic.
<br>
### Transparent Proxy Pattern (TPP) and Universal Upgradeable Proxy Standard (UUPS)
* when a proxy admin wants to call a proxy contract function transferOwnership() which shares a name with a function in the implementation contract, which one would be called?
* Transparent Proxy Pattern (TPP): calls by a user always execute using the implementation contracts logic. Calls by the proxy admin always execute using the proxy contracts logic.