Open c4-submissions opened 1 year ago
0xA5DF marked the issue as primary issue
0xA5DF marked the issue as sufficient quality report
Duplicate of #412
alcueca changed the severity to QA (Quality Assurance)
Valid QA, despite sponsor dispute on #412
alcueca marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L53 https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L765
Vulnerability details
Impact
Should not hardcode chain id because chain id can change on layerzero side
Proof of Concept
One of the integration guide from layerzero is
https://layerzero.gitbook.io/docs/evm-guides/layerzero-integration-checklist
but in the current implementation, the code assume chain id can never change
if we take a look at the code, the chain id is set to immutable in BranchBridgeAgent
later we _performCall is triggered, the chain id used to send message using layerzero endpoint
this is a issue because if layerzero change chain id, all mesage sending will either be sent to wrong chain or revert
and layerzero does change chain id once last year
confimed by layerzero team
relevant discord discussion is here on layerzero server
https://discord.com/channels/881985666265780274/881992936609435688/1157059327841009664
layerzero team made an annoncment on discord last year as well
https://discord.com/channels/881985666265780274/881992936609435688/1025202074805358622
I put the screen shot here
https://drive.google.com/drive/folders/1ydmqFef48EO5GYP9XTmap1eirJr4IJH_?usp=drive_link
to access the discord link above, one needs to join layerzero discord server first
anyway I just want to prove that chain id can be potentially changed and it was already changed so hard code chain id can cause issue
Tools Used
Manual Review
Recommended Mitigation Steps
. Use admin restricted setters to allow admin update layerzero chain id
Assessed type
DoS