The bridge adapters require being registered and the onlyUtb modifier checks that the caller is the main UTB contract. This prevents arbitrary addresses from bridging via adapters.
DecentEthRouter and DecentBridgeAdapter also have onlyLzApp modifiers restricting access.
I recommend adding input validation on bridgeAndExecute for parameters like chainId, amounts, and swap/bridge adapter IDs.
Similarly validate SwapAndExecute inputs based on direction and minimum received amounts expected.
Issue Overview
The bridgeAndExecute and swapAndExecute functions on the UTB contract allow users to provide arbitrary swap and bridging configuration plus destination chain calldata. This could lead to malicious users tricking others into unintentionally executing transactions via Decent's protocol.
The issue is these functions rely on the input structs containing expected and properly formatted data to integrate across chains with swappers and bridges. However there is no validation on the SwapInstructions, BridgeInstructions or encoded swapPayload.
For example, a user could provide any arbitrarily encoded bytes for swapPayload and unintended execution logic on the swappers. Or set super high swap amounts in SwapParams causing loss of funds.
Impact
If unchecked user input is passed directly to swappers and bridges, the following could occur by a malicious user:
Arbitrary token transfers via encoded swapPayload bytes
Locking excessive token amounts due to unchecked high swap inputs
Inability to swap or bridge if incorrect network/contract addresses provided
Calling unwanted logic in the target contract on destination chains.
Trigger & Examples
Exploiting requires the attacker to convince a target user to call bridgeAndExecute or swapAndExecute with malicious inputs. Example attack flows:
Attacker creates a scam DEX that gets user to sign tx with manipulated swap inputs to steal tokens
The attacker uses flash loan to manipulate swap amounts to max uint256 causing overflow
Attacker constructs swapPayload specifically targeting known bugs/logic in swappers
Which lines of code
The key lines that need input validation added are where external data gets passed directly into swappers and bridges without sanity checks: UTB.sol#L318UTB.sol#L181-184 UTB.sol#
// UTB.sol
_swapAndExecute(postBridge, target, paymentOperator, payload, refund);
// in swapAndModifyPostBridge
SwapParams memory newPostSwapParams = abi.decode(
instructions.postBridge.swapPayload,
(SwapParams)
);
// in various adapter bridge functions
SwapParams = abi.decode(postBridge.swapPayload, (SwapParams))
Proof of Concept
The swapAndExecute and bridgeAndExecute functions in UTB.sol are affected. These serve as the main entry points for users to integrate with Decent's swappers and bridges for cross-chain transactions.
Expected Behavior
These functions expect the SwapInstructions and BridgeInstructions structs to contain properly encoded calldata for the target swappers and bridges. The swappers and bridges in turn rely on the passed SwapParams and other data to be valid and not arbitrarily manipulated.
Root Cause Breakdown
There is no input validation on the swapInstructions and bridgeInstructions parameters in UTB.
Similarly, the encoded swapPayload bytes passed to swappers is not checked if it conforms to the expected SwapParams schema.
When passed unchecked data, the swappers/bridges blindly decode using abi.decode and execute logic.
This leads to loss of funds, stuck tokens, or execution of unintended logic depending on the manipulated parameters.
Tools Used
Vs Code
Recommended Mitigation Steps
Introduce input validation on UTB entry points against whitelist of swappers, sanity check numeric amounts, and validate decode output matches schema.
Lines of code
https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTB.sol#L318 https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTB.sol#L181-L184 https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTB.sol#L259-L274 https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTB.sol#L108-L124
Vulnerability details
Vulnerability Overview
Calldata Validation
The bridge adapters require being registered and the
onlyUtb
modifier checks that the caller is the main UTB contract. This prevents arbitrary addresses from bridging via adapters.DecentEthRouter
andDecentBridgeAdapter
also haveonlyLzApp
modifiers restricting access.I recommend adding input validation on bridgeAndExecute for parameters like chainId, amounts, and swap/bridge adapter IDs.
Similarly validate SwapAndExecute inputs based on direction and minimum received amounts expected.
Issue Overview
The bridgeAndExecute and swapAndExecute functions on the UTB contract allow users to provide arbitrary swap and bridging configuration plus destination chain calldata. This could lead to malicious users tricking others into unintentionally executing transactions via Decent's protocol.
The issue is these functions rely on the input structs containing expected and properly formatted data to integrate across chains with swappers and bridges. However there is no validation on the
SwapInstructions
,BridgeInstructions
or encodedswapPayload
.For example, a user could provide any arbitrarily encoded bytes for
swapPayload
and unintended execution logic on the swappers. Or set super high swap amounts inSwapParams
causing loss of funds.Impact
If unchecked user input is passed directly to swappers and bridges, the following could occur by a malicious user:
swapPayload
bytesTrigger & Examples
Exploiting requires the attacker to convince a target user to call
bridgeAndExecute
orswapAndExecute
with malicious inputs. Example attack flows:swapPayload
specifically targeting known bugs/logic in swappersWhich lines of code
The key lines that need input validation added are where external data gets passed directly into swappers and bridges without sanity checks: UTB.sol#L318 UTB.sol#L181-184 UTB.sol#
Proof of Concept
The
swapAndExecute
andbridgeAndExecute
functions in UTB.sol are affected. These serve as the main entry points for users to integrate with Decent's swappers and bridges for cross-chain transactions.Expected Behavior
These functions expect the
SwapInstructions
andBridgeInstructions
structs to contain properly encoded calldata for the target swappers and bridges. The swappers and bridges in turn rely on the passedSwapParams
and other data to be valid and not arbitrarily manipulated.Root Cause Breakdown
There is no input validation on the
swapInstructions
andbridgeInstructions
parameters in UTB.Similarly, the encoded
swapPayload
bytes passed to swappers is not checked if it conforms to the expectedSwapParams
schema.When passed unchecked data, the swappers/bridges blindly decode using
abi.decode
and execute logic.This leads to loss of funds, stuck tokens, or execution of unintended logic depending on the manipulated parameters.
Tools Used
Vs Code
Recommended Mitigation Steps
Introduce input validation on UTB entry points against whitelist of swappers, sanity check numeric amounts, and validate decode output matches schema.
Assessed type
Invalid Validation