BranchBridgeAgent:lzReceive() should check if _srcChainId is rootChainId #706
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-855
grade-a
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/main/src/BranchBridgeAgent.sol#L578
Vulnerability details
Impact
Attackers can replay calls from the old root chain to branch chains if the root chain is forked.
Proof of Concept
In BranchBridgeAgent:lzReceive(), we ignore the _srcChainId parameter passed from the endpoint, only check the msg.sender is the endpoint, and the message sender is the root bridge agent in
requiresEndpoint
modifier.However, this can lead to a replay problem when the root chain forked and added to the LayerZero as a new chain:
Tools Used
Recommended Mitigation Steps
We should make sure BranchBridgeAgent can only get call from the root chain when it's deployed:
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: