c4-pre-sort
commented
8 months ago raymondfam marked the issue as sufficient quality report
Closed c4-bot-9 closed 8 months ago
c4-pre-sort
commented
8 months ago raymondfam marked the issue as sufficient quality report
c4-pre-sort
commented
8 months ago raymondfam marked the issue as duplicate of #27
c4-judge
commented
8 months ago alex-ppg marked the issue as satisfactory
Lines of code
https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentEthRouter.sol#L101 https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentEthRouter.sol#L105
Vulnerability details
Impact
Users will lost all their bridged funds in case that the bridge execution fails in the destination chain.
Proof of Concept
When a user is bridging tokens to perform an execution in the destination chain, the users initiates their transaction by:
UTB::bridgeAndExecute() function, from there it will do the swap pre-bridge (in the src chain) & will modify the swapInstructions for the swap post-bridge (in the dest chain), then it will invoke theUTB::callBridge() functionUTB::callBridge() functionsome approvals are granted to the DecentBridgeAdapter contract, and then the execution is forwarded to theDecentBridgeAdapter::bridge() functionDecentBridgeAdapter::bridge() function, some data is encoded and decoded to prepare the calldata for the bridge, and then the [DecentEthRouter::bridgeWithPayload() function]() is called.DecentEthRouter::bridgeWithPayload() function, notice how themsg.senderin the DecentEthRouter contract will be the DecentBridgeAdapter contract, (from step 3 to step 4, the caller is the DecentBridgeAdapter contract). When thepayloadthat is sent for the execution in the destination chain is defined in theDecentEthRouter::_getCallParams() function, which is called by theDecentEthRouter::_bridgeWithPayload() function, the second parameter that is encoded as part of thepayloadvariable it is set to be themsg.sender, keep in mind that themsg.senderis the address of the DecentBridgeAdapter, not the user's address or an address controlled by him.payloadvariable to the [DecentEthRouter::onOFTReceived()function]() in the destination chain.DecentEthRouter::onOFTReceived()function is called, the received_payloadis decoded and the encoded values are saved in individual variables, the one we are interested is the second variable, which is themsg.senderthat was encoded in theDecentEthRouter::_getCallParams()function, then, if the crosschain message happens to be of an execute type, the execution will be forwarded to theDecentBridgeExecutor::execute() functionDecentBridgeExecutor::execute() function, either theDecentBridgeExecutor::_executeWeth() functionor theDecentBridgeExecutor::_executeEth() functionare called, and the receivedfromparameter (which was just decoded from the received payload in theonOFTReceived()) is forwarded to those functions.DecentBridgeAdapter::receiveFromBridge()of the current chain).fromparameter, which is exactly themsg.senderthat was encoded in theDecentEthRouter::_getCallParams()function. (See step 4)msg.senderwho called theDecentEthRouter::_getCallParams()function in the source chain will cause that the users lost all his bridged funds, and instead, the DecentBridgeAdapter contract address of the source chain will be the one that received the refund of the bridged funds.Tools Used
Manual Audit
Recommended Mitigation Steps
Instead of hardcoding the
refundAddressto be themsg.sender, use therefundeeaddress that was already provided by the user. This address was passed in the calldata sent to theUTB::bridgeAndExecute() function, specifically, the refundAddress specified by the user is encoded in theinstructions.refundvariable.DecentEthRouter::_getCallParams() function. Read the value of theinstructions.refundvariable that was sent at the beginning of the execution, and use that address to set the second variable of thepayloadvariable that is passed as a parameter for the execution in the destination chain.Assessed type
en/de-code