Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Funds stuck in router if no additional payload send during callOutAndBridge #898

Open
c4-submissions opened this issue Oct 6, 2023 · 6 comments
Open

Funds stuck in router if no additional payload send during callOutAndBridge #898

c4-submissions opened this issue Oct 6, 2023 · 6 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-685 grade-a Q-01 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgentExecutor.sol#L100-L105

Vulnerability details

Impact

The callOutAndBridge flow causes funds to be locked if no additional payload is send.

Proof of Concept

In RootBridgeAgentExecutor.executeWithDeposit the function ends if the payload is not longer than 128 bytes:

//router is recipient of funds
_bridgeIn(_router, dParams, _srcChainId);

if (_payload.length > PARAMS_TKN_SET_SIZE) {
    //Execute remote request
    IRouter(_router).executeDepositSingle{value: msg.value}(
        _payload[PARAMS_TKN_SET_SIZE:], dParams, _srcChainId
    );
}
//END

At this point however, the funds that were bridged in were send to the router, where they remain.

Tools Used

Manual review

Recommended Mitigation Steps

Revert, if the router is not called (payload.length <= PARAMS_TKN_SET_SIZE)

Assessed type

Other
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 6, 2023
c4-submissions added a commit that referenced this issue Oct 6, 2023
@c4-submissions
minhtrng issue #898
ebc309f
@c4-pre-sort
Copy link

0xA5DF marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Oct 7, 2023
This was referenced Oct 7, 2023
Open
Open
Open
@c4-pre-sort
Copy link

0xA5DF marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Oct 7, 2023
This was referenced Oct 13, 2023
Open
Open
Open
Closed
@0xBugsy
Copy link

0xBugsy commented Oct 17, 2023

This is a duplicate of #685

@c4-judge
Copy link
Contributor

alcueca marked the issue as duplicate of #685

@c4-judge c4-judge added duplicate-685 and removed primary issue Highest quality submission among a set of duplicates labels Oct 25, 2023
@c4-judge
Copy link
Contributor

alcueca changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 25, 2023
@c4-judge
Copy link
Contributor

alcueca marked the issue as grade-a

@osmanozdemir1 osmanozdemir1 mentioned this issue Oct 30, 2023
Open
@C4-Staff C4-Staff reopened this Nov 8, 2023
@C4-Staff C4-Staff added the Q-01 label Nov 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-685 grade-a Q-01 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@c4-judge @0xBugsy @c4-pre-sort @C4-Staff @c4-submissions