_callOut function encodes the wrong flag based on the anyExecute function #468
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-91
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
3 (High Risk)
code423n4
changed the title
code423n4
changed the title
|
trust1995 marked the issue as duplicate of #91 |
|
trust1995 marked the issue as satisfactory |
c4-judge
added
the
satisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L657
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L1118-L1224
Vulnerability details
Impact
The _callOut function of the BranchBridgeAgent contract encodes the wrong selector for messages with no asset settlement. The effect of encoding
0x01as the flag will cause the code block that invokes the executeWithSettlement function to be executed when the anyExecute function is ultimately invoked on the destination chain. The implications this will have for the protocol are two-fold:Users can pass any calldata as a parameter to the external callOut function that will then be encoded within the internal _callOut function. A malicious user can populate this calldata with parameters that will populate the SettlementParams struct within the executeWithSettlement function with data that will cause token transfers to occur on the destination chain without having to transfer any tokens to the protocol. This can then be used to drain the protocol of its liquidity.
Users that intend to use the external callout function to send a cross-chain message without an asset transfer will lose the funds sent to pay for the message's gas fee because the transaction will likely fail execution on the destination chain due to the encoded calldata not having the correct encoded parameters to create the SettlementParams struct within the executeWithSettlement function.
We believe this to be a high-severity vulnerability because it will have a direct effect on user funds as well as the functionality of the protocol.
Proof of Concept
Please see the previously referenced blocks of code.
Tools Used
Manual Audit Review
Recommended Mitigation Steps
Refactor the anyExecute function of the BranchBridgeAgent contract so that the intended functionality is invoked with the
0x01flag allowing it to be in alignment with the respective functionality of the anyExecute function of theRootBridgeAgent contract.
Assessed type
Error
The text was updated successfully, but these errors were encountered: