Closed code423n4 closed 2 years ago
This function can be called only by SKALE chain owner. Besides that SKALE chain owner has enough power to spoof users in other ways. If it accidentally or maliciously break IMA only it affects only it's own chain and it can be restored using the same function.
Dup of #35 from same warden, I agree with med severity but am marking invalid as it's dup sub
Lines of code
https://github.com/skalenetwork/ima-c4-audit/blob/main/contracts/schain/TokenManager.sol#L223-L228
Vulnerability details
Impact
The function
changeDepositBoxAddress()
allows theDEFAULT_ADMIN_ROLE
to change thedepositBox
associated with aTokenManager
. If thenewDepositBox
is incorrectly set (either accidentally or maliciously) it will cause the bridge to become stuck.For example if we have a
TokenManagerERC20.sol
and the admin sets thenewDepositBox = address(1)
. Then when a user exits the SChain they will post a message withmessageReceiver = depositBox = address(1)
as seen in the following.Due to another bug in that
__callReceiverContract()
will be called even if thedestinationContract
is not registered. Hence, when the message is posted to theMessageProxy
on the main chain by a validator it will call_callReceiverContract()
, which has the following code.Noting
desinationContract = messageReceiver = address(1)
.The result will be that since
address(1)
does not have any bytecode the returndata will be of length zero and hencereceiver = abi.decode(returndata, (address))
will revert and therefore the entire transaction will revert when processingpostIncomingMessages()
for this SChain. Since we cannot process this message the bridge will become stuck.Proof of Concept
Recommended Mitigation Steps
This issue may be mitigated by removing the function
changeDepositBoxAddress()
and thus creating a permanent 1:1 relationship between aDepositBox
andTokenManager
that is set ininitializeTokenManager()
. Therefore, prevent accidental or malicious misuse by the admin.If a
DepositBox
needs to be replaced (redeployed) on the main chain then it is reasonable to redeploy theTokenManager
on the SChain.p.s. a different recommendation for the issue of
try-catch
reverting is using a low level call instead of using a try catch. Note: theif(!success) {...}
can be modified to emit the error logs.