Open code423n4 opened 2 years ago
I would classify this as low risk at most. Arbitrary logic calls can only be triggered by the Cosmos module itself with full consensus, the ability of arbitrary logic to do unknown dangerous things is the design intent and any call actually deployed would have to have the upmost inspection before being used.
duplicate of #1
Agreed on the low risk classification. Perhaps the trust assumptions of the model should've been made more clear.
Duplicate of https://github.com/code-423n4/2021-08-gravitybridge-findings/issues/1
I agree, arbitrary logic could be better documented. But it's also very clear in the existing code that there's no way to create arbitrary logic transactions as a user.
reopening as per judges assessment as "primary issue" on findings sheet
Handle
0xito
Vulnerability details
Impact
attacker can send a logic call that performs a
token.approve(attackerAddress, type(uint256).max)
using thesubmitLogicCall
function.afterwards, they can steal all tokens from the bridge using
token.safetransferfrom(bridge, attacker, amount)
.Proof of Concept
submitLogicCall
withtoken.approve(attackerAddress, type(uint256).max)
token.safetransferfrom(bridge, attacker, amount)
Tools Used
Recommended Mitigation Steps
disallow calls to the bridge contract, or to any token/NFT contracts that the bridge owns tokens of (
token.balanceOf(address(this)) > 0
).