search

Fujicracy / fuji-v2

Cross-chain money market aggregator
https://fuji-v2-frontend.vercel.app
15 stars 10 forks source link

SDK to update args for _crossTransfer and _crossTransferWithCalldata #504

Open 0xdcota opened 1 year ago

0xdcota commented 1 year ago

In the Macro review audit it was identified that the delegate argument in connext.xcall, and that is used inside the bundle actions: _crossTransfer and _crossTransferWithCalldata is subject to a vulnerabilitiy. Previously the delegate was set as the msg.sender. However, it would be best to have the delegate as is own argument.

In _crossTransfer:

function _crossTransfer(
    bytes memory params,
    address beneficiary
  )
    internal
    override
    returns (address)
  {
    (
      uint256 destDomain,
      uint256 slippage,
      address asset,
      uint256 amount,
      address receiver,
      address sender,
      address delegate
    ) = abi.decode(params, (uint256, uint256, address, uint256, address, address, address));
...
bytes32 transferId = connext.xcall(
      // _destination: Domain ID of the destination chain
      uint32(destDomain),
      // _to: address of the target contract
      receiver,
      // _asset: address of the token contract
      asset,
      // _delegate: address that has rights to update the original slippage tolerance
      // by calling Connext's forceUpdateSlippage function
      delegate,
      // _amount: amount of tokens to transfer
      amount,
      // _slippage: can be anything between 0-10000 becaus
      // the maximum amount of slippage the user will accept in BPS, 30 == 0.3%
      slippage,
      // _callData: empty because we're only sending funds
      ""
    );

In _crossTransferWithCalldata:

function _crossTransferWithCalldata(
    bytes memory params,
    address beneficiary
  )
    internal
    override
    returns (address beneficiary_)
  {
    (
      uint256 destDomain,
      uint256 slippage,
      address asset,
      uint256 amount,
      address delegate,
      bytes memory callData
    ) = abi.decode(params, (uint256, uint256, address, uint256, address, bytes));
...
bytes32 transferId = connext.xcall(
      // _destination: Domain ID of the destination chain
      uint32(destDomain),
      // _to: address of the target contract
      routerByDomain[destDomain],
      // _asset: address of the token contract
      asset,
      // _delegate: address that can revert or forceLocal on destination
      delegate,
      // _amount: amount of tokens to transfer
      amount,
      // _slippage: can be anything between 0-10000 becaus
      // the maximum amount of slippage the user will accept in BPS, 30 == 0.3%
      slippage,
      // _callData: the encoded calldata to send
      callData
    );
0xdcota commented 1 year ago

Refer to: Issue #459 and/or pull request #484