Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-chain messaging via Anycall will fail #91

Open
code423n4 opened this issue Jun 15, 2023 · 7 comments
Open

Cross-chain messaging via Anycall will fail #91

code423n4 opened this issue Jun 15, 2023 · 7 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden H-34 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

code423n4 commented Jun 15, 2023

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L1006-L1011
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/lib/AnycallFlags.sol#L11

Vulnerability details

Impact

Cross-chain calls will fail since source-fee is not supplied to Anycall

Proof of Concept

In _performCall() of BranchBridgeAgent.sol, a cross-chain called is made using anyCall() with the _flag of 4. According to the Anycall V7 documentation and code, when using gas _flag of 4, the gas fee must be paid on the source chain. This means anyCall() must be called and sent gas.

However, this is not the case, and the result is _performCall will always revert. This will impact many functions that rely on this function such as callOut(), callOutSigned(), retryDeposit(), and etc.

Tools Used

Manual

Recommended Mitigation Steps

After discussing with the Sponsor, it is expected that the fee be paid on the destination chain, specifically the rootBridgeAgent. Consider refactoring the code to change the _flag to use pay on destination.

Alternatively, if pay on source is the intention, consider refactoring the code to include fees, starting with _performCall. Additional refactoring will be required.

function _performCall(bytes memory _calldata, uint256 _fee) internal virtual {
    //Sends message to AnycallProxy
    IAnycallProxy(localAnyCallAddress).anyCall{value: _fee}(
        rootBridgeAgentAddress, _calldata, rootChainId, AnycallFlags.FLAG_ALLOW_FALLBACK, ""
    );
}

Assessed type

Library

@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jun 15, 2023
code423n4 added a commit that referenced this issue Jun 15, 2023
@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Jul 9, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Jul 9, 2023

trust1995 marked the issue as primary issue

@c4-judge
Copy link
Contributor

c4-judge commented Jul 9, 2023

trust1995 marked the issue as satisfactory

@c4-sponsor
Copy link

0xLightt marked the issue as sponsor confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jul 11, 2023
@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Jul 25, 2023
@c4-judge
Copy link
Contributor

trust1995 marked the issue as selected for report

@c4-sponsor
Copy link

0xBugsy marked the issue as sponsor acknowledged

@c4-sponsor c4-sponsor added sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") and removed sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons labels Jul 27, 2023
@c4-sponsor
Copy link

0xBugsy marked the issue as sponsor confirmed

@0xBugsy
Copy link

0xBugsy commented Jul 28, 2023

We recognize the audit's findings on Anycall. These will not be rectified due to the upcoming migration of this section to LayerZero.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden H-34 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Development

No branches or pull requests

5 participants