There is currently no validation on the swap instructions or bridge instructions structs passed to these functions. So it is possible for a malicious user to encode arbitrary calldata in the swapPayload bytes which gets passed to and decoded by the target swappers.
Similarly, the additional bridgePayload sent across chains in bridgeAndExecute could contain arbitrary logic as well.
Potential exploits
A bad actor could create fake frontends that encode malicious swap logic targeting draining funds or extracting tokens
Arbitrary contract calls after bridging could lead to exploits if the destination chain logic is not properly protected.
So, with the current implementation, a user could pass arbitrary calldata for swaps or bridged executions, without actually transferring funds they have approval over. Adding validations and schema checks would prevent this exploit vector.
// In UTB.sol
_swapAndExecute(
instructions.swapInstructions,
instructions.target,
instructions.paymentOperator,
instructions.payload,
instructions.refund
);
}
// In various Swapper contracts
SwapParams memory swapParams = abi.decode(
swapInstructions.swapPayload,
(SwapParams)
);
The swapAndExecute and bridgeAndExecute functions in UTB.sol are affected. These serve as the core pathways for users to perform cross-chain transactions via Decent.
Expected Behavior
These functions expect that the provided SwapInstructions and BridgeInstructions contain properly encoded information to integrate safely with target swappers and bridges registered in the system.
Root Cause Analysis
There is no validation of the swapInstructions or bridgeInstructions parameters passed in by users.
The encoded swapPayload and bridgePayload bytes can contain arbitrary malicious calldata.
When passed unchecked data, downstream swappers/bridges decode using abi.decode and execute unintended logic.
This can lead to loss of funds, stuck tokens, or execution of unintended logic.
Demonstration Scenario
Attacker creates a scam MetaMask popup prompting victim to "Approve" token transfer
Encodes malicious swapper calldata in background targeting draining funds
User approves due to legitimate popup UI
Arbitrary logic executes on approved tokens draining funds
Impact on End Users
End users of Decent trusting arbitrary frontends or encoded payloads are at risk of:
Funds loss due to draining from manipulated swapper logic
Approving transactions that execute unintended logic on-chain
Bridged assets getting stuck or lost if destination payload is invalid
This undermines the safety and reliability of the system from an end user perspective.
Impact on Ecosystem
For teams building on top of Decent:
Inability to guarantee users' safety, hindering adoption
Manual overhead in validating swap and bridge payloads
Additional infrastructure needed to rate limit transactions
Lower confidence in composing multi-step transactions via Decent
This ultimately impacts developer experience and trust in leverage Decent as a base layer.
Impact on Core Protocol
For the Decent core protocol:
Reputational damage if users lose funds from exploits
Slowed traction and growth metrics if TVL impacted
Opportunity costs having to fix exploits rather than build
Technical debt accrued to address issues after launch
Making the protocol more hardened before launch will improve security, velocity, and scalability.
Tools Used
Vs Code
Recommended Mitigation Steps
Validate source of swapInstructions (DEX contract)
Lines of code
https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTB.sol#L117-L124 https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTB.sol#L69-L72 https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTB.sol#L108-L124
Vulnerability details
Vulnerability Overview
There is currently no validation on the swap instructions or bridge instructions structs passed to these functions. So it is possible for a malicious user to encode arbitrary calldata in the
swapPayload
bytes which gets passed to and decoded by the target swappers.Similarly, the additional
bridgePayload
sent across chains in bridgeAndExecute could contain arbitrary logic as well.Potential exploits
So, with the current implementation, a user could pass arbitrary calldata for swaps or bridged executions, without actually transferring funds they have approval over. Adding validations and schema checks would prevent this exploit vector.
Proof of Concept
The lack of validation on external data from various user-supplied parameters: File:UTB.sol:swapAndExecute
Precisely:
swapInstructions
and encodedswapPayload
bytesbridgeInstructions
and encodedbridgePayload
target
addressExposure
This exposes the swapper and bridge integrations to several risks:
An:
Or similarly for arbitrary contract executions via bridges.
Affected Code Line 117-124, Line 69-72
The
swapAndExecute
andbridgeAndExecute
functions inUTB.sol
are affected. These serve as the core pathways for users to perform cross-chain transactions via Decent.Expected Behavior
These functions expect that the provided
SwapInstructions
andBridgeInstructions
contain properly encoded information to integrate safely with target swappers and bridges registered in the system.Root Cause Analysis
There is no validation of the
swapInstructions
orbridgeInstructions
parameters passed in by users.The encoded
swapPayload
andbridgePayload
bytes can contain arbitrary malicious calldata.When passed unchecked data, downstream swappers/bridges decode using
abi.decode
and execute unintended logic.This can lead to loss of funds, stuck tokens, or execution of unintended logic.
Demonstration Scenario
Impact on End Users
End users of Decent trusting arbitrary frontends or encoded payloads are at risk of:
This undermines the safety and reliability of the system from an end user perspective.
Impact on Ecosystem
For teams building on top of Decent:
This ultimately impacts developer experience and trust in leverage Decent as a base layer.
Impact on Core Protocol
For the Decent core protocol:
Making the protocol more hardened before launch will improve security, velocity, and scalability.
Tools Used
Vs Code
Recommended Mitigation Steps
swapInstructions
(DEX contract)SwapParams
before decodingAssessed type
Invalid Validation