Closed code423n4 closed 1 year ago
Interesting idea. Indeed this is a check that is best added. Some thoughts:
Will leave this open for sponsor review, but it does seem pretty well understood by the sponsor this is required
/**
* @dev Initialize this contract.
* The contract will be paused.
* Note some parameters have to be set separately as they are generally
* not expected to be available at initialization time:
* - inbox and l1Router using setArbitrumAddresses
* - l2GRT using setL2TokenAddress
* - l2Counterpart using setL2CounterpartAddress
* - escrow using setEscrowAddress
* - whitelisted callhook callers using addToCallhookWhitelist
* - pauseGuardian using setPauseGuardian
* @param _controller Address of the Controller that manages this contract
*/
And i do agree with @trust1995 that the warden didn't identify the impact of this very clearly. Probably best downgraded to a QA issue.
We would indeed only unpause the gateway only after l2Counterpart has been set. I hadn't seen the fact that l2ToL1Sender could be zero for a system message though (not sure what that even means in an L2 to L1 message context), but it sounds like it's bad enough that Medium is reasonable severity imo (we've already seen bridges being hacked because of misconfigurations...). Though I agree the report doesn't elaborate on this attack vector / potential exploit paths.
Will work on a fix.
As the C4 docs state: 2 — Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
The report does not discuss any potential impact of accepting Arbitrum system messages during initialization period of GraphTokenGateway. Without a stated impact it is not possible to argue for M severity. We don't know what is possible or not possible with system messages (are they relayable, what constraints do they have, etc.). Without a flow where harm is done it is handwavy to say this can cause impact.
Additionally, the contract is not functional until l2counterpart is set, so accepting system messages is only in the earliest init period.
going to downgrade to QA, definitely on the fence here and I think with a better impact, M would be warranted.
dupe of #198, wardens QA report.
Lines of code
https://github.com/code-423n4/2022-10-thegraph/blob/7ea88cc41f17f2d49961aafec7ebe72daeaad3f9/contracts/gateway/L1GraphTokenGateway.sol#L81-L82
Vulnerability details
Impact
If the
l2Counterpart
is not yet set,L1GraphTokenGateway:finalizeInboundTrasfer
can be called by a system messageProof of Concept
The
L1GraphTokenGateway:onlyL2Counterpart
does not check whetherl2Counterpart
or the result froml2ToL1Sender
call is the zero address. As the result, it will not revert if both of them are zero, but it should, as the call is not from theL2GraphTokenGateway
.In the
IOutbox.sol
from Arbitrum, when thel2ToL1Sender
returns the zero address, that means this is a system message.Below comments are from the current Outbox implementation
Tools Used
Manual review
Recommended Mitigation Steps
Add the check
require(l2Counterpart != address(0)
to theonlyL2Counterpart
to ensure thatl2Counterpart
is set.