Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deposit owner is incorrectly set to _address to pay refunds to_ when depositing via BranchBridgeAgent instead of caller or this behavior is not specified #300

Open
c4-submissions opened this issue Oct 2, 2023 · 5 comments
Open

Deposit owner is incorrectly set to _address to pay refunds to_ when depositing via BranchBridgeAgent instead of caller or this behavior is not specified #300

c4-submissions opened this issue Oct 2, 2023 · 5 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-858 grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/main/src/interfaces/IBranchBridgeAgent.sol#L154-L168
https://github.com/code-423n4/2023-09-maia/blob/main/src/interfaces/IBranchBridgeAgent.sol#L170-L184
https://github.com/code-423n4/2023-09-maia/blob/main/src/interfaces/IBranchBridgeAgent.sol#L186-L196
https://github.com/code-423n4/2023-09-maia/blob/main/src/interfaces/IBranchBridgeAgent.sol#L198-L214
https://github.com/code-423n4/2023-09-maia/blob/main/src/interfaces/IBranchBridgeAgent.sol#L216-L233

Vulnerability details

Summary

When depositing assets (single, multiple or signed/unsigned) to the Ulysses Omnichain system via BranchBridgeAgents, in all deposit related functions, user is instructed to provide an address where excess gas from msg.value will be deposited to. Example for IBranchBridgeAgent::callOutAndBridge):

     * @notice Function to perform a call to the Root Omnichain Router while depositing a single asset.
     *   @param gasRefundee address to return excess gas deposited in `msg.value` to.

and for all other functions:

But in all these implementation, the deposit owner is actually set to this provided refund address, not the message sender,

        //Create Deposit and Send Cross-Chain request
        _createDeposit(_depositNonce, _refundee, _dParams.hToken, _dParams.token, _dParams.amount, _dParams.deposit);

while tokens are taken from the message sender.

        // Deposit / Lock Tokens into Port
        IPort(localPortAddress).bridgeOut(msg.sender, _hToken, _token, _amount, _deposit);

If this behavior is intentional it must be documented as such since users of the protocol may end up giving ownership to addresses they did not intend to thus losing their deposits.

Impact

Users may incorrectly give ownership of their deposits to unwanted addresses that may lead to user funds being lost.

Tools Used

Manual review

Note for judging

This issue was confirmed by sponsors as being a documentation flaw in private. For the IRootBridgeAgent, for example, the full role of the address parameter was mentioned. However, as it is, the system user-interaction should be considered flawed for the Branch Agent and fixed as such.

Recommendations

Either document this behavior, similar to how in IRootBridgeAgent it was mentioned, or modify that the owner to be set to the message sender and also document this accordingly.

Assessed type

Other
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Oct 2, 2023
c4-submissions added a commit that referenced this issue Oct 2, 2023
@c4-submissions
ABA issue #300
bcafab3
@c4-pre-sort
Copy link

0xA5DF marked the issue as duplicate of #858

@c4-pre-sort c4-pre-sort added duplicate-858 sufficient quality report This report is of sufficient quality labels Oct 15, 2023
@c4-pre-sort
Copy link

0xA5DF marked the issue as sufficient quality report

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Oct 26, 2023
@c4-judge
Copy link
Contributor

alcueca changed the severity to QA (Quality Assurance)

@alcueca
Copy link

alcueca commented Oct 26, 2023

Documentation issue, the _refundee is actually the deposit owner if the caller decides that it should be anyone else.

@c4-judge
Copy link
Contributor

alcueca marked the issue as grade-a

@C4-Staff C4-Staff reopened this Nov 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-858 grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alcueca @c4-judge @c4-pre-sort @C4-Staff @c4-submissions