search

code-423n4 / 2023-05-maia-findings

24 stars 13 forks source link

Functions `retrieveDeposit()` , `redeemDeposit()` & `retrySettlement` in `BranchBridgeAgent` lack access control #650

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L433-L439 https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L450-L456 https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L418-L430

Vulnerability details

Impact

Users can force the execution of some functions on behalf of other users

Proof of Concept

redeemDeposit() becomes available in BranchBridgeAgent when execution has failed from Branch to Root in order for the user to collect the deposited tokens. The problem is that there is no access control and anyone can call redeemDeposit() for any deposit nonce, a user might not want to redeem a deposit and instead retry-it. Similarly retrieveDeposit & retrySettlement also lack access control. These functions should be available only to the depositor.

Tools used

Manual Inspection

Mitigation

Add access control checks to the mentioned functions

Assessed type

Access Control

c4-judge commented 1 year ago

trust1995 marked the issue as unsatisfactory: Invalid

trust1995 commented 1 year ago

The warden has not developed the impact to the level required as #869 has done.