Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anyone can send cross-chain transactions without paying fees to Decent #51

Closed
c4-bot-8 opened this issue Jan 21, 2024 · 9 comments
Closed

Anyone can send cross-chain transactions without paying fees to Decent #51

c4-bot-8 opened this issue Jan 21, 2024 · 9 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-647 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality

Comments

@c4-bot-8
Copy link
Contributor

c4-bot-8 commented Jan 21, 2024
edited by c4-bot-4
Loading

Lines of code

https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentEthRouter.sol#L197-L234

Vulnerability details

Impact

In https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentEthRouter.sol#L197-L234, anyone can call bridge and bridgeWithPayload

    function bridgeWithPayload(
        uint16 _dstChainId,
        address _toAddress,
        uint _amount,
        bool deliverEth,
        uint64 _dstGasForCall,
        bytes memory additionalPayload
    ) public payable {
        return
            _bridgeWithPayload(
                MT_ETH_TRANSFER_WITH_PAYLOAD,
                _dstChainId,
                _toAddress,
                _amount,
                _dstGasForCall,
                additionalPayload,
                deliverEth
            );
    }

    /// @inheritdoc IDecentEthRouter
    function bridge(
        uint16 _dstChainId,
        address _toAddress,
        uint _amount,
        uint64 _dstGasForCall,
        bool deliverEth // if false, delivers WETH
    ) public payable {
        _bridgeWithPayload(
            MT_ETH_TRANSFER,
            _dstChainId,
            _toAddress,
            _amount,
            _dstGasForCall,
            bytes(""),
            deliverEth
        );
    }

These functions are meant to be called by the bridge adapter only which is called by UTB which takes a fee, but they can called by anyone as they have no modifiers set.

Therefore, a user can send a cross-chain transaction without paying fees to Decent by directly calling bridge and bridgeWithPayload. A secondary impact is that this will also deplete the ETH / WETH reserves of the router in the destination chain.

Tools Used

Manual Review.

Recommended Mitigation Steps

Add access control checks to these functions (only bridge adapter should call these functions)

Assessed type

Access Control
@c4-bot-8 c4-bot-8 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 21, 2024
c4-bot-4 added a commit that referenced this issue Jan 21, 2024
@c4-bot-4
haxatron issue #51
5368c33
@c4-bot-10 c4-bot-10 changed the title Anyone can bridge without paying fees. Anyone can send cross-chain transactions without paying fees. Jan 21, 2024
@c4-bot-4 c4-bot-4 changed the title Anyone can send cross-chain transactions without paying fees. Anyone can send cross-chain transactions without paying fees to Decent Jan 22, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Jan 23, 2024
@raymondfam
Copy link

Fee dodging via the router.

@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #15

@c4-pre-sort c4-pre-sort reopened this Jan 26, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as not a duplicate

@c4-pre-sort
Copy link

raymondfam marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Jan 26, 2024
This was referenced Jan 26, 2024
Closed
Open
@raymondfam
Copy link

Bridge dodging that should have access restrictions.

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jan 30, 2024
@c4-sponsor
Copy link

wkantaros (sponsor) confirmed

@c4-judge c4-judge closed this as completed Feb 2, 2024
@c4-judge c4-judge added duplicate-647 and removed primary issue Highest quality submission among a set of duplicates labels Feb 2, 2024
@c4-judge
Copy link

c4-judge commented Feb 2, 2024

alex-ppg marked issue #647 as primary and marked this issue as a duplicate of 647

@c4-judge
Copy link

c4-judge commented Feb 2, 2024

alex-ppg marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-647 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@raymondfam @c4-judge @c4-sponsor @c4-pre-sort @code4rena-admin @c4-bot-8