code423n4 commented 2 years ago

Handle

0xito

Vulnerability details

Impact

attacker can send a logic call that performs a token.approve(attackerAddress, type(uint256).max) using the submitLogicCall function.

afterwards, they can steal all tokens from the bridge using token.safetransferfrom(bridge, attacker, amount).

Proof of Concept

submitLogicCall with token.approve(attackerAddress, type(uint256).max)
call token.safetransferfrom(bridge, attacker, amount)

Tools Used

Recommended Mitigation Steps

disallow calls to the bridge contract, or to any token/NFT contracts that the bridge owns tokens of (token.balanceOf(address(this)) > 0).

jkilpatr commented 2 years ago

I would classify this as low risk at most. Arbitrary logic calls can only be triggered by the Cosmos module itself with full consensus, the ability of arbitrary logic to do unknown dangerous things is the design intent and any call actually deployed would have to have the upmost inspection before being used.

duplicate of #1

albertchon commented 2 years ago

Agreed on the low risk classification. Perhaps the trust assumptions of the model should've been made more clear.

Duplicate of https://github.com/code-423n4/2021-08-gravitybridge-findings/issues/1

jkilpatr commented 2 years ago

I agree, arbitrary logic could be better documented. But it's also very clear in the existing code that there's no way to create arbitrary logic transactions as a user.

loudoguno commented 2 years ago

reopening as per judges assessment as "primary issue" on findings sheet

code-423n4 / 2021-08-gravitybridge-findings