Function name clashing exploits with proxies

Support
,
1

Hi all. I was following this article (https://medium.com/nomic-labs-blog/malicious-backdoors-in-ethereum-proxies-62629adf3357) and I am really struggling to understand something… It won’t take much of your time to read this, much better than me trying to explain it here.

So on the article, The @alcuadrado gives us the home-task https://ropsten.etherscan.io/address/0xb97dd0102bb67f81d25d686c661d7f0aed62e344
and tells us to find name clashing exploits.

Let me first start to tell you how I see the contracts.

  • UnstructuredStorageProxy is the main one which users interact with
  • UnstructuredStorageProxy contains Vault contract, so basically the calls get redirected from UnstructuredStorageProxy to Vault with the help of delegatecall.
  • ACL contract is just the contract that Vault uses.

As far as I realized, proxyOwner and getACLRole5999294130779334338() have the same name classhing(first 4 bytes - 0253). After this , I don’t understand how it’s exploitable.

Can you explain to me how it would exactly be exploitable in a very easy words ? I’d really appreciate it because this is very confusing for me…

2 Likes
2

Hi @gushuna,

I recommend compiling a list of all the function selectors to see what clashes there are between the proxy and the implementation.

You can use npx pocketh selector "proxyOwner()"

If you have done this already, what were they? Did you only find the one clash, or were there more?

I haven’t been through the exercise, so I don’t know the magic answer, but happy to try to help you discover it.