The source chain id was not verified in BranchBridgeAgent#lzReceive. #328
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-855
edited-by-warden
grade-a
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L578
Vulnerability details
Impact
BranchBridgeAgent#LzReceive did not verify the source chain id, the attacker can deploy the contract with the same address as the trusted rootBridgeAgent on other LayerZero supported evm chain(no RootBridgeAgent is deployed), and then send arbitrary messages to the target BranchBridgeAgent, including mint tokens, send administrator instructions, and so on.
Proof of Concept
BranchBridgeAgent uses lzReceive to accept the cross-chain message sent by RootBridgeAgent, and then calls lzReceiveNonBlocking. The change function uses _requiresEndpoint to verify whether the message source is reliable.
However, the verification process only verifies _endpoint, _srcAddress,
source chain id not verified:
2._srcAddress is the address that initiates cross-chain calls on the source chain. If the attacker is on an LayerZero supported chain and no RootBridgeAgent is deployed on the chain, the attacker can create a RootBridgeAgent with the same address and pass the authentication of _srcAddress.
The attacker sends arbitrary messages to the BranchBridgeAgent in the following ways:
The key to this issue is whether different chains have the same contract address.
EVM determines the address of the contract by publishing the account address of the contract and the transaction nonce, but it cannot be ruled out that some chains use other mechanisms to generate contract addresses.
The more chains supported by LayerZero, the possibility of duplication will increase.
It cannot be ruled out that a chain is controlled by an attacker and is officially supported by LayerZero.
Therefore, it is more secure to verify the source chain id for risk isolation.
Tools Used
vscode
Recommended Mitigation Steps
Verify the source chain id when accepting cross-chain messages
Assessed type
Access Control
The text was updated successfully, but these errors were encountered: