The vulnerability in the THORChain_Router contract presents a critical security risk related to the validation of privileged operations. This vulnerability allows unauthorized entities or malicious actors to execute privileged operations that should be restricted to specific users or contracts. By exploiting this flaw, attackers can bypass intended access controls, potentially leading to unauthorized asset transfers, state manipulations, or financial losses for affected users.
Functions Affected:
vaultAllowance: Allows unauthorized entities to query vault allowances.
transferAllowance: Permits unauthorized entities to execute transfers without proper authorization.
batchTransferOutV5: Enables unauthorized batch transfers out of the contract.
batchTransferOutAndCallV5: Allows unauthorized batch transfers with external calls.
depositWithExpiry: Unauthorized entities can initiate deposits with expiry.
transferOutAndCall: Enables unauthorized external calls with asset transfers.
transferOut: Allows unauthorized transfers out of the contract.
returnVaultAssets: Unauthorized return of vault assets to undesired addresses.
transferOutV5: Unauthorized transfers using the V5 method.
Proof of Concept
The vulnerability was identified through formal verification using Certora, highlighting scenarios where:
The contract fails to adequately validate the privilege of the calling entity or contract.
Malicious actors can successfully execute privileged operations without meeting the required authorization criteria.
Specific functions susceptible to unauthorized privileged operations include vaultAllowance, transferAllowance, batchTransferOutV5, batchTransferOutAndCallV5, depositWithExpiry, transferOutAndCall, transferOut, returnVaultAssets, and transferOutV5.
The contract does not enforce strict authorization checks for privileged operations.
Attackers can impersonate or masquerade as authorized entities to perform critical actions, such as transferring assets or adjusting allowances.
This behaviour directly undermines the security and integrity of access control mechanisms within the contract.
Tools Used
Manual review
Formal verification
Recommended Mitigation Steps
Implement robust access control mechanisms to ensure that privileged operations are restricted to authorized entities only.
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/main/chain/ethereum/contracts/THORChain_Router.sol?plain=1#L185-#L389
Vulnerability details
Impact
The vulnerability in the THORChain_Router contract presents a critical security risk related to the validation of privileged operations. This vulnerability allows unauthorized entities or malicious actors to execute privileged operations that should be restricted to specific users or contracts. By exploiting this flaw, attackers can bypass intended access controls, potentially leading to unauthorized asset transfers, state manipulations, or financial losses for affected users. Functions Affected:
Proof of Concept
The vulnerability was identified through formal verification using Certora, highlighting scenarios where:
The contract fails to adequately validate the privilege of the calling entity or contract. Malicious actors can successfully execute privileged operations without meeting the required authorization criteria. Specific functions susceptible to unauthorized privileged operations include vaultAllowance, transferAllowance, batchTransferOutV5, batchTransferOutAndCallV5, depositWithExpiry, transferOutAndCall, transferOut, returnVaultAssets, and transferOutV5.
The contract does not enforce strict authorization checks for privileged operations. Attackers can impersonate or masquerade as authorized entities to perform critical actions, such as transferring assets or adjusting allowances. This behaviour directly undermines the security and integrity of access control mechanisms within the contract.
Tools Used
Manual review Formal verification
Recommended Mitigation Steps
Implement robust access control mechanisms to ensure that privileged operations are restricted to authorized entities only.
Assessed type
Access Control