-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The user will lose his assets when making a signed call to the root chain with an account abstraction wallet #441
Comments
0xA5DF marked the issue as duplicate of #877 |
0xA5DF marked the issue as sufficient quality report |
alcueca marked the issue as satisfactory |
alcueca changed the severity to 3 (High Risk) |
alcueca marked the issue as duplicate of #351 |
alcueca marked the issue as partial-50 |
Downgrading the whole lot to Medium again. |
alcueca changed the severity to 2 (Med Risk) |
alcueca marked the issue as satisfactory |
alcueca changed the severity to 3 (High Risk) |
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L262-L273
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgent.sol#L538-L571
Vulnerability details
Impact
Users who interact with the protocol with "EOAs" (externally owned accounts) will be using the same address that is created on all evm chains for these accounts.
But users of account abstraction wallets (which are unique smart contract instances deployed on individual chains) will have different addresses on different chains.
This will introduce problems for the users who use these wallets; as the protocol assumes in all of its calls (signed calls in particular) that the user address who initiated the L0 call in the branch chain is the same address who will be receiving the result of these calls in the root chain (and later in the other chains); i.e:
msg.sender
address.The problem clearly arises when the user initiates a signed call to the root bridge with his account abstraction wallet (that will be the
msg.sender
of this call), and the root bridge agent will create a virtual account for the user with the address extracted from the payload of the call (the extracted address here will be the same address of themsg.sender
of this call in the branch chain; but this address will not be owned by the user in the root chain as the account abstraction wallet will create a different address for the user in different chains):This virtual account of the user will be receiving funds and minted global
hTokens
(virtualized asset representation) in the root chain (Arbitrum).But the created virtual account for the user will not be accessible by the same user who initiated the call in the branch chain with his abstract wallet account (different address on different chains), so he will not be able to withdraw the assets sent to the virtual account as he is not the same address who can access this contract; which will lead to loss of user assets as they become inaccessible VirtualAccount:
Proof of Concept
An example of where the
msg.sender
address is used to make calls by the branch, where it will be received by the root to create a virtual account for him:BranchBridgeAgent.callOutSigned
RootBridgeAgent.lzReceiveNonBlocking
Tools Used
Manual Testing.
Recommended Mitigation Steps
When users initiate a signed call from the
BranchBridgeAgent
; allow users to pass the address where they would like to interact with the protocol in the root chain (used as their address in the root chain) instead of using themsg.sender
address that will be encoded in the call payload.Assessed type
Other
The text was updated successfully, but these errors were encountered: