Ulysses Omnichain - Critical Business Logic Error regarding anyCall Pay Fees on Destination Chain Implementation #638
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-91
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/anyswap/multichain-smart-contracts/blob/main/contracts/anycall/v7/AnycallV7Upgradeable.sol#L207
https://github.com/anyswap/multichain-smart-contracts/blob/main/contracts/anycall/v7/AnycallV7Upgradeable.sol#L174-L186
Vulnerability details
Ulysses Omnichain - Critical Business Logic Error regarding anyCall Pay Fees on Destination Chain Implementation
Impact
Summary
There is a critical error in the Ulysses Omnichain implementation of the anyCall Pay Fees on Destination / Source Chain 'module'. The error relates to the configuration of the flags parameter and lack of any fees sent to satisfy anyCall protocol fees.
For more details on requirements to calling
anyCall
properly, see:Details
The implementation of anyCall within Ulysses Omnichain is currently misconfigured to pay fees on the source chain instead of the destination chain. Additionally, the implementation of
_performCall
inBranchBridgeAgent.sol
lacks payment for the unavoidable base or custom "source fees", as is required by theanyCall
protocol. Additionally, the project team have communicated through private messaging with the audit team that they intended the protocol to be configured to pay on destination. However, the flags used to configure fee payment foranyCall
is set to pay all fees on the source chain.The impact in relation to the business logic and functionality of the protocol cannot be understated, as in its current configuration any swaps between chains using the anyCall system will fail due to unavailability of gas to pay the implemented/configured fees from the source chain.
While current tests using the
anyCall
are currently passing using the test suite provided by the project team, this is due to the tests using mocked calls with pre-computed values rather than the actual implementations of anyCall.It will be demonstrated below with a test that uses deployed anyCall protocol contracts, how the current implementation will fail due to incorrect flag paramters being set.
Proof of Concept
Please see the anyCall v7 integration and best practice documentation here: https://anycall.gitbook.io/anycall/the-latest-version/v7/pay-fees-on-destination-chain
For background,the the function definition for
anyCall
is as follows:_flags
configures the fallback and fees settings. The are:0: Gas fee paid on source chain. Fallback not allowed.
2: Gas fee paid on destination chain. Fallback not allowed.
4: Gas fee paid on source chain. Allow fallback
6: Gas fee paid on destination chain. Allow fallback
It can be observed below in the
_performCall
function withinBranchBridgeAgent.sol
that executes using theanycallFlags.sol
library the contract is configured with `FLAG_ALLOW_FALLBACK = 0x1 << 2' which corresponds with flag 4 in the anyCall documentation to pay fees on the source chain rather than the destination chain.Furthermore, the code implentation required to pay fees from the source chain has not been included within the
_performCall
function. This is likely due to the project team intended the fee structure to be pay on destination chain.We can see from actual anyCall protocol source (from
Anycallv7Upgradeable.sol
),anyCall
has the invariant of a base source fee, which is not satisfied by the Ulysses Omnichain protocol:The code below tests the exact manner that the ulysses-omnichain protocol calls
anyCall
, using the forking functionality of foundry to test against actual instances of the anyCall protocol contracts. This proves that in its current implementation, a live, deployed instance of the ulysses-omnichain protocol will fail to send transactions across the anyCall SMPC network.Tools Used
Manual Review
Recommended Mitigation Steps
Any transaction with
anyCall
needs to satisfy the base source chain execution fee and a flag update to implement the Pay Fees Destination Chain model that we believe the project team intended.A code update to
_performCall
could be:Assessed type
DoS
The text was updated successfully, but these errors were encountered: