Closed sherlock-admin4 closed 4 months ago
This is a valid issue that is different from #67 should be deduped
CC @nevillehuang
@cryptotechmaker I believe this is a duplicate of #111 and family, all points to unvalidated srcChainSender
The protocol team fixed this issue in PR/commit https://github.com/Tapioca-DAO/TapiocaZ/pull/189; https://github.com/Tapioca-DAO/Tapioca-bar/pull/377.
This also fixes #140
bin2chen
high
Multiple lzCompose messages did not verify the legality of _srcChainSender
Summary
In the current protocol, several modules only require the
_toeComposeMsg
to execute. However, there is no validation of the legality of_srcChainSender
. As a result, anyone can construct a_toeComposeMsg
to execute arbitrarylzCompose
information.Vulnerability Detail
Let's take
TOFTMarketReceiverModule.marketRemoveCollateralReceiver
as an example. This module's parameter is only_data = _toeComposeMsg
.Without passing
_srcChainSender
and validating its legitimacy, anyone can front-run construct acompose msg
for execution.Impact
The lack of a
_srcChainSender
security check allows anyone to modify thecompose msg
for execution.Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/TOFTMarketReceiverModule.sol#L161
Tool used
Manual Review
Recommendation
It is recommended that all modules check
_srcChainSender
. For instance, consider adding something similar to_internalTransferWithAllowance(msg_.receiver, srcChainSender, msg_.amount);
. This recommendation applies to modules such as:Duplicate of #14