Open code423n4 opened 2 years ago
This can be done only by SKALE chain owner. SKALE chain owner develops it's own application and have many other capabilities to spoof its users.
Agree that the admin has the ability to rug users and agree with Med Severity
Lines of code
https://github.com/skalenetwork/ima-c4-audit/blob/main/contracts/schain/TokenManagers/TokenManagerEth.sol#L45-L49
Vulnerability details
Impact
There is a Centralisation risk of the bridge where the
DEFAULT_ADMIN_ROLE
ofTokenManagerEth.sol
is able to modify the ERC20 token on the SChain to any arbitrary address. This would allow the admin role to change the address to one where they have infinite supply, they could then callexitToMain(amount)
equal to the balance of the DepositBox in the main Ethereum chain. After the message is process on the main Ethereum chain they will receive the entire Eth balance of that contract.The rug pull attack occurs because there is a
DEFAULT_ADMIN_ROLE
which is set in the intiialisation to themsg.sender
as seen ininitializeTokenManager()
below.The
DEFAULT_ADMIN_ROLE
may then callsetEthErc20Address(IEthErc20 newEthErc20Address)
settingnewEthErc20Address
to any arbitrary contract they control.Proof of Concept
Recommended Mitigation Steps
Consider removing the function
setEthErc20Address()
asethErc20
is set in theinitialize()
function and does not need to be changed.