hats-finance / Most--Aleph-Zero-Bridge-0xab7c1d45ae21e7133574746b2985c58e0ae2e61d

Aleph Zero bridge to Ethereum
Apache License 2.0
0 stars 1 forks source link

Assets on `AlephZero` can be unbacked on `ETH` #6

Open hats-bug-reporter[bot] opened 7 months ago

hats-bug-reporter[bot] commented 7 months ago

Github username: @0xfuje Twitter username: 0xfuje Submission hash (on-chain): 0x0cc5d64fcb1309e8ea2a654336ebcb870e364cc55ea00ec7eed9ab765aec8c5b Severity: medium

Description:

Impact

AlephZero side of asset will worth less -> which can lead to loss of funds for users of that assets on AZ

Description

The owner can accidentally (or potentially maliciously) transfer out a locked ERC20 or WETH from the ETH side of the bridge via recoverERC20() and recoverNative() that is still used (not-locked) on AlephZero. This means that the amount of "recovered" ERC20 will have no backing on ETH which can lead to serious consequences.

Most.sol - recoverERC20()

    function recoverERC20(
        address token,
        address to,
        uint256 amount
    ) external onlyOwner {
        IERC20(token).safeTransfer(to, amount);
    }

Proof of Concept

Accident scenario

  1. 10_000 WETH locked in ETH side / 1_000 WETH locked on AZ side
  2. owner executes recoverERC20(), by mistake for 1000 WETH instead of 10 WETH
  3. Market will start to value AZ WETH less (1 / 0.9) -> which could lead to price dropping further
  4. People start to bridge back to ETH from AZ for arbitrage because price is unimpacted on ETH (even if bridge is paused people might be panic selling their AZ assets)
  5. Last users to bridge couldn't bridge funds because the funds are unbacked on ETH

Note: I debated myself on the severity, and I decided on medium since this could have a serious impact, but it requires either a malicious owner or accident from the side of the owner and the role is assumed to be behind a multi-sig so it's low likelihood. High impact + low likelihood = medium severity.

Recommendation

*To be added in comments later

krzysztofziobro commented 7 months ago

Invalid submission: No coded PoC + assuming a malicious owner/owner error