Description:
The sweepToken function (BaseRouter.sol#L58) allows users with the HOUSE_KEEPER_ROLE role to transfer accidentally stuck ERC-20 tokens (due to the failed cross chain calls). A malicious user executing a Deposit action can deposit those assets on his behalf to the vault. Similarly, sweepETH function (BaseRouter.sol#L67) allows users with the HOUSE_KEEPER_ROLE role to transfer accidentally stuck Ether. A malicious user can withdraw a small sum of their assets using Withdraw action and all Ethers using a consecutive WithdrawETH action.
Recommendation:
Update the existing protection mechanism that checks the balances of tokens and Ether before and after executing a bundle. It should not only check whether the amounts after execution are smaller or equal, but it should require amounts to be strictly equal.
Where: https://github.com/Fujicracy/fuji-v2/blob/bffa427797ad8d6df63671868ee8823574e044ca/packages/protocol/src/abstracts/BaseRouter.sol#L85-L94
Description: The sweepToken function (BaseRouter.sol#L58) allows users with the HOUSE_KEEPER_ROLE role to transfer accidentally stuck ERC-20 tokens (due to the failed cross chain calls). A malicious user executing a Deposit action can deposit those assets on his behalf to the vault. Similarly, sweepETH function (BaseRouter.sol#L67) allows users with the HOUSE_KEEPER_ROLE role to transfer accidentally stuck Ether. A malicious user can withdraw a small sum of their assets using Withdraw action and all Ethers using a consecutive WithdrawETH action.
Recommendation:
Deposit.action.