Not signed deposits to the RootBridgeAgent can be stolen if they miss Router instructions. #680
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-685
grade-a
Q-39
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgentExecutor.sol#L82-L106
Vulnerability details
Impact
If an unsigned deposit is bridged without instruction params the assets are bridged to the MulticallRouter and can be stolen by another user.
Proof Of Concept
For the Deposit flags 0x02 & 0x03 corresponding to bridging out assets without a Virtual Account as a receiver, the receiver is the MulticallRouter. The problem is that if a user hasn't specified params for further execution
executeWithDeposit
doesn't revert which means the bridged assets remain in theMulticallRootRouter
. At that point an adversary can send a message from a Branch Chain (0x01 flag) & Output params that correspond the to the left assets and steal them.Coded POC
RootTest
contract insideRooTest.t.sol
forge test --match-test testEmptyInstructionsGrief -vv
Output - logs that an adversary user stole assets from the MulticallRouter that were there because of missing instructions from an innocent user's Bridge Out.
Tools Used
Manual Inspection
Foundry
Recommended Mitigation Steps
If an unsigned bridge is performed (0x02, 0x03 flags) revert the execution on the
RootBridgeAgent
if there are no params instructions for theMulticallRootRouter
Assessed type
Context
The text was updated successfully, but these errors were encountered: