-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
users may not be able to call retryDeposit(...) for failed deposits #858
Comments
0xA5DF marked the issue as primary issue |
0xA5DF marked the issue as sufficient quality report |
Seems like a design choice, but will leave open for sponsor to comment |
0xBugsy (sponsor) disputed |
This is intended, you can set the owner of the deposit to your own address if desired. Removing this would break functionality, like our current router interactions. |
It might be intended, but that is far from what the docs suggest. It doesn't seem far-fetched to think that users might want to set |
Maybe the deposit owner and the refundee should be separate concepts, and dealt with separately. |
We believe this relies on API misuse. Someone integrating with our contracts should be conscious of what's the role of a The only use case we can see where having both addresses exposed, would be if someone were to create a router contract that is intended to retain ownership over user deposits (e.g. needs to perform some extra action before giving tokens back to user) and wanted to refund excess gas to the caller, this can also be achieved by other means without having to increase the number of parameters for everyone else. In addition, for signed calls letting the user decide the Regarding the natspec we 100% agree it is not up to par and should be updated to match the detail used in |
I'll judge it as QA grade-a, but please fix the natspec and possibly the variable name. It is very misleading. I'd argue that the fact that the variable denotes the deposit owner is much more relevant than the fact that it also denotes the recipient for gas refunds. |
alcueca changed the severity to QA (Quality Assurance) |
alcueca marked the issue as grade-a |
As bugsy stated:
The
For signed calls, the msg.sender should be the owner or what bugsy described would happen. We are not doing this part correctly, the I still believe this would only happen due to API misuse, a UI should always pass the caller's address as |
Hello 0xLightt , I have one of the duplicates of this issue and after reading your comments I'd like to add a comment. If we want to use a Branch side we can use ether callOutAndBridge() function from BaseBranchRouter contract or callOutAndBridge from BranchBridge contract(). Both of them don't have any modifier so a user can call any of them
But if a user uses BranchBridge contract he can set up whatever he wants as a refundee and this can later lead to problems described in the issues linked with retry functions.
Even if it looks like a user error at first I noticed that similar Root functions are protected by modifiers, so the agent only can be called by a router, not by a user: RootBridgeAgent:
I am leading to the point that maybe bridgeAgent contract should have the same modifier then the user won't be able to call bridge contract's call functions without router? |
Your recommendation to add I believe the reason for QA is that due to happening from a user error, so it follows the first point: #906 (comment) |
0xLightt (sponsor) confirmed |
Hello @alcueca, may I request your attention to the comments above, and I kindly ask for your final decision on this matter. |
Again, a user calling this function can only hurt themselves if they call it with the wrong parameters. To be consistent in judging this contest I'm classifying users hurting themselves as QA, unless it is explicitly said that the users should do something, and that something hurts them. To be a High or a Medium in this contest:
The sponsor modifying the code to remove footguns is consistent with a QA grade-a severity, as well. |
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L882
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L832
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L354
Vulnerability details
Impact
In the event of a failed deposit the has not been executed yet, the user may not be able to call
retryDeposit(...)
if the user does not specify his account as therefundee
.Proof of Concept
When
_createDeposit(...)
is called as shown below, thedeposit.owner
variable is updated to_refundee
.When
retryDeposit(...)
is called, as shownn below, if the user did not use his address as therefundee
during deposit creation, his the call toretryDeposit(...)
will revert.Tools Used
Manual review
Recommended Mitigation Steps
Consider making the
msg.sender
the owner during the deposir creation stage as shown belowAssessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: