c4-judge
commented
1 year ago trust1995 marked the issue as duplicate of #758
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago trust1995 marked the issue as duplicate of #758
c4-judge
commented
1 year ago trust1995 marked the issue as satisfactory
c4-judge
commented
1 year ago trust1995 marked the issue as partial-50
c4-judge
commented
1 year ago trust1995 marked the issue as full credit
c4-judge
commented
1 year ago trust1995 marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L948-L952 https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L984 https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchPort.sol#L212
Vulnerability details
Impact
Underlying token amounts are incorrect when withdrawing deposits.
Proof of Concept
In
_redeemDeposit()of BranchBridgeAgent.sol, a user can withdraw their failed deposit. First, thedepositsamounts are fetched by the_depositNonce. Next,clearToken()is called to mint and withdraw the local port and underlying tokens, respectively. Whenwithdraw()is called, the_depositamount is first converted using_denormalizeDecimals(). However, the result of the conversion is incorrect when token decimals are not18.Here are some examples when
_denormalizeDecimals()is called:_depositof1e6, decimal 6:1e6 * 1 ether / (10 ** 6)=1e18_depositof1e20, decimal 20:1e20 * 1 ether / (10 ** 20)=1e18In both cases, the result is
1e18which is incorrect because the underlying amount should be in their respective decimals. In both cases, using_depositamount would be correct.Tools Used
Manual
Recommended Mitigation Steps
Consider using the stored
_depositamount to transfer the underlying amount.Assessed type
Decimal