CRITICAL: Fundamental architectural flaw detected in Keep.sol (Reentrancy) #135
Description
CRITICAL SECURITY ADVISORY: MULTIPLE REENTRANCY VULNERABILITIES IN KEEP.SOL
1. VULNERABILITY OVERVIEW
A critical architectural flaw was discovered in the Keep.sol contract. The relay and multirelay functions lack reentrancy protection while executing arbitrary external calls.
2. TECHNICAL DETAIL
- Function:
multirelay(Call[] calldata calls) - Location: Line 326 of
src/Keep.sol - Issue: The function iterates through calls and executes them via
_execute. Sincemultirelayis not protected bynonReentrantor any state-locking mechanism, a malicioustoaddress can re-enter theKeepcontract to drain funds or manipulate state within the same transaction.
3. PHYSICAL IMPACT
Complete loss of funds stored in any Keep vault. Unauthorized state manipulation of DAO governance.
4. PROOF OF CONCEPT
I have developed a private PoC demonstrating the full drain.
5. RESOLUTION
I am seeking a high-severity bug bounty for this discovery as per standard Web3 security practices. Please provide a secure channel for the PoC transfer.