Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DecentEthRouter::bridge/bridgeWithPayload can directly be called, which bypasses UTB main entry point with signature #66

Closed
c4-bot-9 opened this issue Jan 21, 2024 · 6 comments
Closed

DecentEthRouter::bridge/bridgeWithPayload can directly be called, which bypasses UTB main entry point with signature #66

c4-bot-9 opened this issue Jan 21, 2024 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-647 satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-9
Copy link
Contributor

Lines of code

https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentEthRouter.sol#L218-L224

Vulnerability details

Impact

The flow to swapAndBridge/bridgeAndSwap assets is long and starts in UTB contract, where participant provides authenticator signature:
https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTB.sol#L259-L266
The problem is that a malicious actor can directly call DecentEthRouter::bridge with unchecked payload data, which means that it can be anything. For example - giving allowance for some ERC20 token from DescentExecutor to the attacker.
https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentBridgeExecutor.sol#L61
Another example is provided data, which is not checked by the signer, but reaches the following line and continues down the flow inside BridgeAdapter::receiveFromBridge and UTB::receiveFromBridge

  • Impact is bypassing UTB calldata checks and fee calculations
  • Possibility of executing malicious actions on the behalf of executor contract.

Proof of Concept

One example is:

  1. Malicious actor encodes "abi.encodeWithSelector(IERC20(WETH).approve.selector,maliciousActor,uint256.max)" and provide it as a payload to bridgeWithPayload
  2. The call is bridged and reaches the executor, which runs the provided calldata.
  3. Now the malicious actor can withdraw WETH from the contract, if by any chance there is some left.

Tools Used

Manual Review

Recommended Mitigation Steps

Add a modifier on DecentEthRouter::bridge/bridgeWithPayload so only BridgeAdapter can access it

Assessed type

Access Control
@c4-bot-9 c4-bot-9 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 21, 2024
c4-bot-10 added a commit that referenced this issue Jan 21, 2024
@c4-bot-10
nmirchev8 issue #66
4d77d27
@c4-pre-sort
Copy link

raymondfam marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Jan 23, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #15

@c4-judge c4-judge reopened this Feb 3, 2024
@c4-judge
Copy link

c4-judge commented Feb 3, 2024

alex-ppg marked the issue as not a duplicate

@c4-judge
Copy link

c4-judge commented Feb 3, 2024

alex-ppg marked the issue as duplicate of #221

@c4-judge c4-judge closed this as completed Feb 3, 2024
@c4-judge
Copy link

c4-judge commented Feb 3, 2024

alex-ppg marked the issue as satisfactory

@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards duplicate-647 and removed duplicate-221 labels Feb 3, 2024
@c4-judge
Copy link

c4-judge commented Feb 4, 2024

alex-ppg marked the issue as duplicate of #647

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-647 satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-pre-sort @c4-bot-9