exerciseOptionsReceiver() user can send dangerous compose across-chain as _options.from
Summary
An important security guarantee for the lzCompose mechanism is that srcChainSender can guarantee that it is called by users themselves.
However, exercisoptionsreceiver ()->_sendpacket () can specify _options.from as srcChainSender for remote call.
This gives users beyond the original authorization to execute other methods in other chains as _options.from.
Vulnerability Detail
UsdoOptionReceiverModule.exerciseOptionsReceiver() the codes as follows:
function exerciseOptionsReceiver(address srcChainSender, bytes memory _data) public payable {
....
@> _sendPacket(msg_.lzSendParams, msg_.composeMsg, _options.from);
// Refund extra amounts
if (_options.tapAmount - amountToSend > 0) {
IERC20(tapOft).safeTransfer(_options.from, _options.tapAmount - amountToSend);
}
} else {
//send on this chain
IERC20(tapOft).safeTransfer(_options.from, _options.tapAmount);
}
}
...
function _sendPacket(LZSendParam memory _lzSendParam, bytes memory _composeMsg, address _srcChainSender)
private
returns (MessagingReceipt memory msgReceipt, OFTReceipt memory oftReceipt)
{
From the above code, we know
Suppose: _options.from =bob just gave alice allowance, which can be used to execute exerciseOptionsReceiver().
But because _sendPacket () specifies _srcchainsender = bob.
In this way,alice can use the identity of bob and send cross-chain information to execute other arbitrary composeMsg.
For example, execute MSG_REMOTE_TRANSFER and other arbitrary USDO composeMsg.
Impact
The user goes beyond the original authorization and executes other methods in other chains as _options.from.
bin2chen
high
exerciseOptionsReceiver() user can send dangerous compose across-chain as _options.from
Summary
An important security guarantee for the
lzCompose
mechanism is thatsrcChainSender
can guarantee that it is called by users themselves. However,exercisoptionsreceiver ()
->_sendpacket ()
can specify_options.from
assrcChainSender
for remote call. This gives users beyond the original authorization to execute other methods in other chains as_options.from
.Vulnerability Detail
UsdoOptionReceiverModule.exerciseOptionsReceiver()
the codes as follows:From the above code, we know Suppose: _options.from =bob just gave
alice
allowance, which can be used to executeexerciseOptionsReceiver()
. But because_sendPacket ()
specifies_srcchainsender = bob
. In this way,alice
can use the identity ofbob
and send cross-chain information to execute other arbitrarycomposeMsg
. For example, executeMSG_REMOTE_TRANSFER
and other arbitrary USDOcomposeMsg
.Impact
The user goes beyond the original authorization and executes other methods in other chains as
_options.from
.Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/usdo/modules/UsdoOptionReceiverModule.sol#L121
Tool used
Manual Review
Recommendation
use old srcChainSender as new srcChainSender
Duplicate of #134