search

sherlock-audit / 2024-02-tapioca-judging

2 stars 2 forks source link

ctf_sec - Access control is missing in TOFTGenericReceiverModule.sol #81

Closed sherlock-admin3 closed 5 months ago

sherlock-admin3 commented 5 months ago

ctf_sec

high

Access control is missing in TOFTGenericReceiverModule.sol

Summary

Access control is missing in TOFTGenericReceiverModule.sol

Vulnerability Detail

function receiveWithParamsReceiver(address srcChainSender, bytes memory _data) public payable {
        SendParamsMsg memory msg_ = TOFTMsgCodec.decodeSendParamsMsg(_data);

        msg_.amount = _toLD(msg_.amount.toUint64());

        if (msg_.unwrap) {
            ITOFT tOFT = ITOFT(address(this));
            address toftERC20 = tOFT.erc20();

            // @audit
            // if this lacks access control, it could be exploited
            /// @dev xChain owner needs to have approved dst srcChain `sendPacket()` msg.sender in a previous composedMsg. Or be the same address.
            _internalTransferWithAllowance(msg_.receiver, srcChainSender, msg_.amount);
            tOFT.unwrap(address(this), msg_.amount);

            if (toftERC20 != address(0)) {
                IERC20(toftERC20).safeTransfer(msg_.receiver, msg_.amount);
            } else {
                (bool sent,) = msg_.receiver.call{value: msg_.amount}("");
                if (!sent) revert TOFTGenericReceiverModule_TransferFailed();
            }
        }
    }

As we can see, there is lack of access control, anyone can input msg.receiver and srcChainSender to move msg.receiver's token and unwrap onbehalf of msg.receiver even msg.receiver user does not want his token be unwrapped.

User can trigger the receiveWithParamsReceiver via TOFT

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/TOFT.sol#L146

function executeModule(ITOFT.Module _module, bytes memory _data, bool _forwardRevert)
        external
        payable
        whenNotPaused
        returns (bytes memory returnData)
    {
        return _executeModule(uint8(_module), _data, _forwardRevert);
    }

Impact

.

Code Snippet

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/modules/TOFTGenericReceiverModule.sol#L47

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/TOFT.sol#L146

Tool used

Manual Review

Recommendation

Implement access control mechanism to restrict the execution of sensitive functions to only authorized addresses

Duplicate of #132

maarcweiss commented 5 months ago

Dup of https://github.com/sherlock-audit/2024-02-tapioca-judging/issues/132 Low/Invalid