search

code-423n4 / 2023-05-maia-findings

24 stars 13 forks source link

VirtualAccount cannot directly send native tokens #307

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/VirtualAccount.sol#L41-L53

Vulnerability details

Impact

Certain functions require native tokens to be sent. These functions will revert.

Proof of Concept

According to the Sponsor, VirtualAccounts can "call any of the dApps present in the Root Chain (Arbitrum) e.g. Maia, Hermes, Ulysses AMM,Uniswap." However, this is not the case as call() is not payable and thus cannot send native tokens to other contracts. This is problematic because certain functions require native token transfers and will fail.

Tools Used

Manual

Recommended Mitigation Steps

Consider creating a single call() function that has a payable modifier and {value: msg.value}. Be aware that since calls[i].target.call() is in a loop, it is not advisable to add payable to the existing call(). This is because msg.value may be used multiple times, and is unsafe.

Assessed type

Payable

c4-judge commented 1 year ago

trust1995 marked the issue as primary issue

c4-judge commented 1 year ago

trust1995 marked the issue as satisfactory

c4-sponsor commented 1 year ago

0xBugsy marked the issue as sponsor acknowledged

c4-sponsor commented 1 year ago

0xBugsy marked the issue as disagree with severity

trust1995 commented 1 year ago

Breaking of interoperability with dApps on the hosting chain, contrary to docs, justifies Med severity in my opinion.

c4-judge commented 1 year ago

trust1995 marked the issue as selected for report

c4-sponsor commented 1 year ago

0xBugsy marked the issue as sponsor confirmed

0xLightt commented 1 year ago

Addressed https://github.com/Maia-DAO/eco-c4-contest/commit/03c829ba0ef3fd74de3cb4fcd1ff5a72512072e9