Closed code423n4 closed 1 year ago
Not sure the best way to handle this but this is the same root cause (though different consequences / places to fix) as #254
I don't believe this issue to be valid.
Home.dispatch()
sets _sender
to msg.sender
. This is checked in onlyRemoteRouter
as s.remotes[_domain] == _router
. Therefore, if _sender
is not the remote router, then this will revert.
Additionally, _sender
cannot be the zero address because Home.dispatch()
will always set this to msg.sender
.
Lines of code
https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/relayer-fee/RelayerFeeRouter.sol#L135
Vulnerability details
Issue: any replica can call handle if it passes as origin a domain that does not exists and as _sender address(0).
Consequences: can claim fees for different transfer ids.
Affected Code
Mitigations
check for _router to not be empty (_router != bytes32(0)) inside the _isRemoteRouter() function on BaseConnextFacet