c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/c0dc3550e0754571b82d7bfd8f0282ac8fa5e42f/src/RootBridgeAgent.sol#L32 https://github.com/code-423n4/2023-09-maia/blob/c0dc3550e0754571b82d7bfd8f0282ac8fa5e42f/src/BranchBridgeAgent.sol#L45

Vulnerability details

Impact

The User Application (LZReceiver) should implement the ILayerZeroUserApplicationConfig interface which includes the forceResumeReceive function. This is very important as in the worst case, it can allow the owner to unblock the queue of messages if something unexpected/unpredicted occurs.

This is crucially important to have especially in emergency situations. I've reported 2 issues related to blocking messaging channel of LZ. This explains why it is highly recommended by LayerZero. Please check https://layerzero.gitbook.io/docs/evm-guides/best-practice

Proof of Concept

Please check RootBridgeAgent and BranchBridgeAgent. There is no Implementation of ILayerZeroUserApplicationConfig.

Tools Used

Manual analysis

Recommended Mitigation Steps

Implement forceResumeReceive to as a last resort in case something happens.

Assessed type

Other

c4-pre-sort commented 1 year ago

0xA5DF marked the issue as primary issue

c4-pre-sort commented 1 year ago

0xA5DF marked the issue as sufficient quality report

0xA5DF commented 1 year ago

Improvements are usually just QA, but will leave open for sponsor to comment and for judge to see if there's a case to make an exception here

0xA5DF commented 1 year ago

760 talks about using a non-blocking config, duping due to similarity

c4-sponsor commented 1 year ago

0xBugsy (sponsor) disputed

0xBugsy commented 1 year ago

This is intended. Our system is a centralization minimal approach to a non blocking lzApp. Despite this not being possible in production in theory would be a nice addition due to abundance of caution.

c4-sponsor commented 1 year ago

0xBugsy (sponsor) confirmed

c4-sponsor commented 1 year ago

0xBugsy marked the issue as disagree with severity