Token Importer
VirtualsVerifier.sol
[LOW] Incomplete EIP-1167 Validation
Adding a suffix would prevent invalid proxy tokens from being easily created. This would result in fake tokens being moved into the system.
Complete EIP-1167 Pattern:
0x363d3d373d3d3d363d73<20-byte impl>5af43d82803e903d91602b57fd5bf3
From reviewing the Virtuls github it doesn't look like they have the ability to query a specific token address and instead just have a substantial array of IAgentToken instances: allTradingTokens. This could be queried and iterated over, but the gas costs would make this impossible.
Recommended solution:
function _getImplementation(address _proxy) internal view returns (address implementation_) {
// Check if contract has code
uint256 size;
assembly {
size := extcodesize(_proxy)
}
if (size == 0) return address(0);
// Ensure we have enough code to read
if (size < 45) return address(0);
// Decode the EIP-1167 minimal proxy pattern
bytes memory code = new bytes(45);
assembly {
extcodecopy(_proxy, add(code, 32), 0, 45)
}
// Complete EIP-1167 validation
if (
code.length == 45 &&
uint8(code[0]) == 0x36 &&
uint8(code[1]) == 0x3d &&
uint8(code[2]) == 0x3d &&
uint8(code[3]) == 0x37 &&
uint8(code[4]) == 0x3d &&
uint8(code[5]) == 0x3d &&
uint8(code[6]) == 0x3d &&
uint8(code[7]) == 0x36 &&
uint8(code[8]) == 0x3d &&
uint8(code[9]) == 0x73 &&
// Validate suffix
uint8(code[35]) == 0x5a &&
uint8(code[36]) == 0xf4 &&
uint8(code[37]) == 0x3d &&
uint8(code[38]) == 0x82 &&
uint8(code[39]) == 0x80 &&
uint8(code[40]) == 0x3e &&
uint8(code[41]) == 0x90 &&
uint8(code[42]) == 0x3d &&
uint8(code[43]) == 0x91 &&
uint8(code[44]) == 0x60 &&
uint8(code[45]) == 0x2b &&
uint8(code[46]) == 0x57 &&
uint8(code[47]) == 0xfd &&
uint8(code[48]) == 0x5b &&
uint8(code[49]) == 0xf3
) {
assembly {
implementation_ := mload(add(code, 30))
}
}
}
Note: From previous audits we have noticed that this lookup check is used in a few verifiers. We would recommend moving it to a library, or similar import.