hats-finance / Most--Aleph-Zero-Bridge-0xab7c1d45ae21e7133574746b2985c58e0ae2e61d

Aleph Zero bridge to Ethereum
Apache License 2.0
0 stars 1 forks source link

The contract doesn’t validate permissions correctly when adding new pair #16

Open hats-bug-reporter[bot] opened 7 months ago

hats-bug-reporter[bot] commented 7 months ago

Github username: @rodiontr Twitter username: -- Submission hash (on-chain): 0x7da0d041897fc9a62d2a521d150b4d3fde69b69e5d9d0a988e064577a9c40441 Severity: high

Description: Description\

The contract doesn't make sure it has permission to burn tokens and checks only if it's able to mint them.

Attack Scenario\

In the lib.rs, when adding new pair, it checks whether MOST has permission to mint in this line:

https://github.com/Cardinal-Cryptography/most/blob/70ab234cc3322fda82784413f5e0704907a0e1fe/azero/contracts/most/lib.rs#L671-672


 let psp22_address: AccountId = from.into();
            let psp22: ink::contract_ref!(Mintable) = psp22_address.into();

However, it's instead should make sure that it can burn the from token as it's burnt on the source chain initially:

https://github.com/Cardinal-Cryptography/most/blob/70ab234cc3322fda82784413f5e0704907a0e1fe/azero/contracts/most/lib.rs#L316


 self.burn_from(src_token_address.into(), sender, amount)?;

Attachments

Provided above.

Recommendation

Change the check to:

let psp22_address: AccountId = from.into();
  let psp22: ink::contract_ref!(Burnable) = psp22_address.into();
krzysztofziobro commented 7 months ago

Invalid submission: A PoC is required for submission to be considered valid. You can create a new submission that contains a working PoC.