search

code-423n4 / 2023-05-maia-findings

24 stars 13 forks source link

Cross-chain messaging via Anycall will fail #91

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L1006-L1011 https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/lib/AnycallFlags.sol#L11

Vulnerability details

Impact

Cross-chain calls will fail since source-fee is not supplied to Anycall

Proof of Concept

In _performCall() of BranchBridgeAgent.sol, a cross-chain called is made using anyCall() with the _flag of 4. According to the Anycall V7 documentation and code, when using gas _flag of 4, the gas fee must be paid on the source chain. This means anyCall() must be called and sent gas.

However, this is not the case, and the result is _performCall will always revert. This will impact many functions that rely on this function such as callOut(), callOutSigned(), retryDeposit(), and etc.

Tools Used

Manual

Recommended Mitigation Steps

After discussing with the Sponsor, it is expected that the fee be paid on the destination chain, specifically the rootBridgeAgent. Consider refactoring the code to change the _flag to use pay on destination.

Alternatively, if pay on source is the intention, consider refactoring the code to include fees, starting with _performCall. Additional refactoring will be required.

function _performCall(bytes memory _calldata, uint256 _fee) internal virtual {
    //Sends message to AnycallProxy
    IAnycallProxy(localAnyCallAddress).anyCall{value: _fee}(
        rootBridgeAgentAddress, _calldata, rootChainId, AnycallFlags.FLAG_ALLOW_FALLBACK, ""
    );
}

Assessed type

Library

c4-judge commented 1 year ago

trust1995 marked the issue as primary issue

c4-judge commented 1 year ago

trust1995 marked the issue as satisfactory

c4-sponsor commented 1 year ago

0xLightt marked the issue as sponsor confirmed

c4-judge commented 1 year ago

trust1995 marked the issue as selected for report

c4-sponsor commented 1 year ago

0xBugsy marked the issue as sponsor acknowledged

c4-sponsor commented 1 year ago

0xBugsy marked the issue as sponsor confirmed

0xBugsy commented 1 year ago

We recognize the audit's findings on Anycall. These will not be rectified due to the upcoming migration of this section to LayerZero.