search

sherlock-audit / 2024-01-telcoin-judging

6 stars 5 forks source link

ginlee - All Telcoin may get lost for the users using the account abstraction wallet #135

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

ginlee

medium

All Telcoin may get lost for the users using the account abstraction wallet

Summary

Vulnerability Detail

proposedTransactions.push(
            ProposedTransaction({                  
                      totalWithdrawl: totalWithdrawl,
@>                destinations: destinations,
                      amounts: amounts,
                      timestamp: uint64(block.timestamp),
                      challenged: false,
                      executed: false
            })

For AA wallet users, on different blockchains, the same address may represent different entities or users. If this function does not differentiate between chains (by not using a chainId), it may not be able to correctly identify the actual user or entity corresponding to the destination address

Impact

Due to the uncertainty of addresses, a transaction intended for a specific user on one chain might mistakenly be sent to a different user on another chain. This situation is particularly important in cross-chain operations, as the same address may have no association across different chains. If the destination address could point to different users on different chains, this might lead to the risk of funds being sent incorrectly, transactions being misused, or maliciously exploited. Users might not be able to trust that the transaction will accurately reach the intended recipient.

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/protocol/core/TelcoinDistributor.sol#L93-L102

Tool used

Manual Review

Recommendation

Clear user interface explanations: Clearly explain in the user interface that destination addresses may be associated with multiple chains, reminding users to carefully check and verify addresses.

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { The watson failed to provide a practical explanation on how that will occur}

nevillehuang commented 7 months ago

Invalid, feature request, since proposals can always be challenged.