0xAadi - Lack of Handling for `validAmount` Greater Than `bridgeTransaction.amount` in `restoreBridgeTransaction` Function in `BridgeFacetImpl` Library #2
Lack of Handling for validAmount Greater Than bridgeTransaction.amount in restoreBridgeTransaction Function in BridgeFacetImpl Library
Summary
The suspendBridgeTransaction() function in the BridgeFacet contract is designed to suspend a specific bridge transaction. A user with the DISPUTE_ROLE can restore the previously suspended bridge transaction and update the valid transaction amount through the restoreBridgeTransaction function by calling restoreBridgeTransaction from the BridgeFacetImpl library.
The issue is that the restoreBridgeTransaction function in the BridgeFacetImpl library does not handle situations where the supplied validAmount is greater than the previously set bridgeTransaction.amount.
According to the README of the audit:
Are there any limitations on values set by admins (or other roles) in the codebase, including restrictions on array lengths?
No
There is no limitation on the values that can be used in the restoreBridgeTransaction function. Therefore, this function is expected to accept an updated amount that is either less than or greater than the previously set amount.
Vulnerability Detail
The restoreBridgeTransaction function in the BridgeFacetImpl library does not handle cases where validAmount is greater than bridgeTransaction.amount.
This scenario results in a revert due to underflow caused by the operation bridgeTransaction.amount - validAmount. The function should allow DISPUTE_ROLE users to increase bridgeTransaction.amount by using a validAmount larger than bridgeTransaction.amount.
The implementation restricts DISPUTE_ROLE users from increasing bridgeTransaction.amount by using a validAmount larger than bridgeTransaction.amount.
Tool used
Manual Review
Recommendation
Update the restoreBridgeTransaction() function to handle validAmounts greater than bridgeTransaction.amount, allowing DISPUTE_ROLE users to increase bridgeTransaction.amount.
0xAadi
Medium
Lack of Handling for
validAmount
Greater ThanbridgeTransaction.amount
inrestoreBridgeTransaction
Function inBridgeFacetImpl
LibrarySummary
The
suspendBridgeTransaction()
function in theBridgeFacet
contract is designed to suspend a specific bridge transaction. A user with theDISPUTE_ROLE
can restore the previously suspended bridge transaction and update the valid transaction amount through therestoreBridgeTransaction
function by callingrestoreBridgeTransaction
from theBridgeFacetImpl
library.The issue is that the
restoreBridgeTransaction
function in theBridgeFacetImpl
library does not handle situations where the suppliedvalidAmount
is greater than the previously setbridgeTransaction.amount
.According to the README of the audit:
There is no limitation on the values that can be used in the
restoreBridgeTransaction
function. Therefore, this function is expected to accept an updated amount that is either less than or greater than the previously set amount.Vulnerability Detail
The
restoreBridgeTransaction
function in theBridgeFacetImpl
library does not handle cases wherevalidAmount
is greater thanbridgeTransaction.amount
.This scenario results in a revert due to underflow caused by the operation
bridgeTransaction.amount - validAmount
. The function should allowDISPUTE_ROLE
users to increasebridgeTransaction.amount
by using avalidAmount
larger thanbridgeTransaction.amount
.Code Snippet
https://github.com/sherlock-audit/2024-06-symmetrical-update-2/blob/f5b76ca33f5f05b927a9c0f2f57938e919d6420b/protocol-core/contracts/facets/Bridge/BridgeFacetImpl.sol#L90
Impact
The implementation restricts
DISPUTE_ROLE
users from increasingbridgeTransaction.amount
by using avalidAmount
larger thanbridgeTransaction.amount
.Tool used
Manual Review
Recommendation
Update the
restoreBridgeTransaction()
function to handlevalidAmount
s greater thanbridgeTransaction.amount
, allowingDISPUTE_ROLE
users to increasebridgeTransaction.amount
.