Closed c4-bot-9 closed 3 months ago
dmvt marked the issue as primary issue
0xRektora (sponsor) disputed
The encodeToeComposeMsg
will be used to encode a message from last to end, so indexes MSG_3(MSG_2(MSG_1))
.
This is why _tapComposedMsg
is the first packed var.
Those 2 functions are a bit ambiguous, see https://github.com/code-423n4/2024-02-tapioca-findings/issues/74 for more details.
dmvt marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarAssetXChainModule.sol#L90-L97 https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/tapiocaOmnichainEngine/TapiocaOmnichainEngineCodec.sol#L91
Vulnerability details
Description
In the
depositYBLendSGLLockXchainTOLP()
function, after lending to Singularity, it attempts to send SGL tokens cross-chain and execute the lock action upon receiving by using a composed message. Therefore, this function decodes the passed compose message to change thelockData.fraction
to the received token amount, and then encodes that message again afterwardThe
decodeToeComposeMsg()
function decodes with the order from left to right, which meanstapComposeMsg_
precedesnextMsg_
in the whole encoded messages.However,
encodeToeComposeMsg()
function will move the next message to the beginning of the total composed message.Therefore, the order of child messages will be changed in
depositYBLendSGLLockXchainTOLP
function.Impact
Cross-chain execution of Layerzero v2 will compose with the wrong order of actions, leading to unexpected results of DOS.
Tools Used
Manual review
Recommended Mitigation Steps
Move
_tapComposedMsg
to the end of the encoded message inencodeToeComposeMsg
as following:Assessed type
en/de-code