Open code423n4 opened 1 year ago
bytes032 marked the issue as primary issue
Could be related to #583
psytama (sponsor) disputed
All the main function that a user interacts with to deposit or withdraw does not have this. and we plan on removing it in the admin only functions also.
Really interesting vector
I feel like the Warden has found a new category of attacks
For the code in scope the finding is a gotcha as no specific impact was demonstrated
GalloDaSballo changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/helper/ContractWhitelist.sol#L35 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L409
Vulnerability details
Impact
Arbitrum retryable ticket can be used to bypass the tx.origin check
Proof of Concept
There is a function _isEligibleSender
as the contract suggest, the code intended to check that if the caller is a EOA account or a smart contract
if it EOA account, the check pass, if the caller is a smart contract, the code check if the smart contract is whitelisted
However, arbitrum has a built-in cross-chain message protocol called retryable tickets
the retryable ticket can let user submit transaction (retryable ticket) in mainnet L1 and then the transaction will get executed in l2
the most important thing is that
https://docs.arbitrum.io/arbos/l1-to-l2-messaging#address-aliasing
basically when user submit a transaction in L1 and when the transaction get executed in L2, the msg.sender and tx.origin is aliased
note that another L2 optimism use the same address alias mechanism and the doc summarize very well
https://github.com/ethereum-optimism/optimism/blob/develop/specs/deposits.md#execution
If we go to https://www.evmdiff.com/
and we select ethereum with arbitrum and search for opcode
we get
and
then basically a smart contract can submit a retryable ticket on L1 and trigger the function that use _isEligibleSender as safeguard that mean to not let smart contract make the call
In particular the function calculateFunding in Atlantic Vault.sol and update the funding amount without admin's permission
Tools Used
Manual Review
Recommended Mitigation Steps
do not use tx.origin to check, only check if the caller is whitelisted or has certain role
Assessed type
Access Control