BranchBridgeAgent is missing source chain checking. #855
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-a
primary issue
Highest quality submission among a set of duplicates
Q-08
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L578-L584
Vulnerability details
Impact
According to the LayerZero docs, UAs should check that messages from trusted chain and known address.
https://layerzero.gitbook.io/docs/evm-guides/master/receive-messages
However,
BranchBridgeAgent
only checks the address and does not verify the source chain. The source chain here should be the root chain (Arbitrum). If there exists a contract on another network with the same address as theRootBridgeAgent
on the Arbitrum network,BranchBridgeAgent
may consider messages from this contract as legitimate and process them.https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L578-L584
Deploying a contract on another network with the same address as the RootBridgeAgent on the Arbitrum network is a highly challenging task. However, if a hard fork occurs on Arbitrum, and LayerZero decides to support both networks, then there would be a situation where two contracts have identical addresses.
Adding a source chain check can prevent such situations from occurring.
Proof of Concept
In the following test code, we manually modified the ID of the Arbitrum network to simulate a hard fork on the Arbitrum network. Note that this is not a complete testing scripts.
Tools Used
Foundry
Recommended Mitigation Steps
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: