Closed howlbot-integration[bot] closed 3 months ago
Seems like a good point. We can probably remove that call all together
@the-eridanus could you explain the worst case impact of the submission? To me it seems worst case scenario is inefficient code, which does not qualify for Med.
trust1995 changed the severity to QA (Quality Assurance)
trust1995 marked the issue as grade-c
I would like to clarify some facts about this report since it was Sponsor Confirmed
(cc: @the-eridanus) in case they plan to apply this in the future, but I totally agree with the judge to downgrade this to QA.
minuscule
saving in terms of CPU/RAM footprint.logs are unlimited
, while otherwise it will be capped to the max log (planned to 50
?), which has the potential to break existing aggregator that are working today with an higher amount of logs than the planned cap.So overall there is some risk in applying this change, but if the team do their due diligences and feel confident with removing the call alltogether, I don't think this justify a Medium severity but rather Low
severity, so I'm aligned with the judge here.
Nevertheless, if we compare this report to mine which has been disputed
and set unsatisfactory
, while showing a much more impactfull
CPU/RAM impacts by the incoming changes, I'm having difficulties the reason about how the current issue was qualified as a QA while mine being deemed unsatisfactory, but I'm not the judge, and don't want to be XD, but I still wanted to express my disagreement
in that regards.
@the-eridanus could you explain the worst case impact of the submission? To me it seems worst case scenario is inefficient code, which does not qualify for Med.
agreed, the worst case is a very slight performance hit, but it's not really of concern.
@dontonka I don't mind re-marking yours as QA, by the way a single issue QA report is usually not eligible for rewards, do keep that in mind. Note that you also submitted as High, so there are grounds to disqualify based on inflated severity, which I didn't.
@the-eridanus for the record, sponsor confirmed without "disagree-with-severity" telegraphs agreement with the severity level, which was wrong here.
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/e3fd3c75ff994dce50d6eb66eb290d467bd494f5/bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go#L902-L928 https://github.com/code-423n4/2024-06-thorchain/blob/e3fd3c75ff994dce50d6eb66eb290d467bd494f5/bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go#L671-L684
Vulnerability details
Impact
WhiteList contract are included even though we disable th only whiteList contract feature.
Proof of Concept
While checking to find whether the contract is valid ,we are passing
includewhiteList
parameter astrue
even thoughdisableWhitelist
is set to 1.Lets see the
case e.isToValidContractAddress(destination, true):
her ein this snippet when we disabled the whitelisthttps://github.com/code-423n4/2024-06-thorchain/blob/e3fd3c75ff994dce50d6eb66eb290d467bd494f5/bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go#L902-L928
https://github.com/code-423n4/2024-06-thorchain/blob/e3fd3c75ff994dce50d6eb66eb290d467bd494f5/bifrost/pkg/chainclients/ethereum/ethereum_block_scanner.go#L671-L684
includeWhiteList
is set astrue
while callingisToValidContractAddress
that results in looping through the whitelisted contract.Tools Used
Manual Review
Recommended Mitigation Steps
call
isToValidContractAddress(destination, false)
instead of passingtrue
Assessed type
Context