Open code423n4 opened 2 years ago
Acknowledged, and work is on the roadmap.
I believe the finding to have validity, in that, a set of signed messages can be replayed if the chain is disconnected and then re-connected while maintaining the same validators.
At this time I think Medium Severity (External Conditions Reliance) to be more appropriate and that the issue can be fully sidestepped by changing validators on a chain reconnect
Lines of code
https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/MessageProxy.sol#L313-L317
Vulnerability details
https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/MessageProxy.sol#L313-L317
https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/MessageProxy.sol#L402-L409
In the current implementation, when a connected chain is removed, the
incomingMessageCounter
andoutgoingMessageCounter
will be deleted.And if it's reconnected again, the
incomingMessageCounter
andoutgoingMessageCounter
will be reset to0
.However, since the contract is using
connectedChains[fromChainHash].incomingMessageCounter
andsignature
to ensure that the message can only be processed once.Impact
Once the
incomingMessageCounter
resets to0
, all the past messages (transactions) can be replayed with the old signatures.Another impact is that, for the particular reconnected schain, both inbound and outbound messages may not be able to be processed properly, as the counter is now out of sync with the remote schain.
https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/schain/MessageProxyForSchain.sol#L212-L221
Recommendation
Recommendation
When removing and connecting a schain, instead of delete/reset the couter, consider leaving the counter as it is when
removeConnectedChain
,_addConnectedChain
also should not reset the counter: