Back to 0xJaeger's contests

Decent - 0xJaeger's results

Decent enables one-click transactions using any token across chains.

General Information

Platform: Code4rena

Start Date: 19/01/2024

Pot Size: $36,500 USDC

Total HM: 9

Participants: 113

Period: 3 days

Judge: 0xsomeone

Id: 322

League: ETH

Decent

Findings Distribution

Researcher Performance

Rank: 42/113

Findings: 1

Award: $78.69

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDecent

Findings Information

🌟 Selected for report: DadeKuma

Also found by: 0xJaeger, Aamir, EV_om, Eeyore, Giorgio, Inference, Kow, MrPotatoMagic, NPCsCorp, SBSecurity, Soliditors, Tendency, ZdravkoHr, deth, ether_sky, haxatron, kutugu, nmirchev8

Awards

78.6887 USDC - $78.69

Labels

bug
3 (High Risk)
partial-75
sufficient quality report
duplicate-436

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-01-decent/blob/main/src/UTB.sol#L259-L274

Vulnerability details

Impact

UTB.bridgeAndExecute() is used to execute a cross-chain transaction for the users from the host chain.

The issue is that the refund address that is passed as part of the bridgeInstructions struct is the msg.sender on the host chain as confirmed by the developers and in the natspec in the transaction executing contract UTBExecutor.sol.

This will be a problem if the msg.sender is a multisig wallet contract as the wallet holders might not have control over the same address in the destination chain, causing the received tokens to be lost.

In the worst case, the tokens could be sent to an undeployed address and an attacker could seize the opportunity to possibly steal the tokens by taking control of the refund address on the destination chain. (see Wintermute hack article)

Proof of Concept

https://github.com/code-423n4/2024-01-decent/blob/main/src/UTBExecutor.sol#L41-L82

function execute(
        address target,
        address paymentOperator,
        bytes memory payload,
        address token,
        uint amount,
        address payable refund,
        uint extraNative
    ) public onlyOwner {
        bool success;
        if (token == address(0)) {
            (success, ) = target.call{value: amount}(payload);
            if (!success) {
                (refund.call{value: amount}(""));
            }
            return;
        }

        uint initBalance = IERC20(token).balanceOf(address(this));

        IERC20(token).transferFrom(msg.sender, address(this), amount);
        IERC20(token).approve(paymentOperator, amount);

        if (extraNative > 0) {
            (success, ) = target.call{value: extraNative}(payload);
            if (!success) {
                (refund.call{value: extraNative}(""));
            }
        } else {
            (success, ) = target.call(payload);
        }

        uint remainingBalance = IERC20(token).balanceOf(address(this)) -
            initBalance;

        if (remainingBalance == 0) {
            return;
        }

        IERC20(token).transfer(refund, remainingBalance);
    }

Tools Used

Manual Analysis

Provide the user with the ability to provide a custom refund address on the destination chain, so that multisig wallet owners can provide their address on the destination chain.

Assessed type

Other

#0 - c4-pre-sort

2024-01-25T20:01:31Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2024-01-25T20:01:39Z

raymondfam marked the issue as duplicate of #27

#2 - c4-judge

2024-02-02T17:21:12Z

alex-ppg marked the issue as partial-75

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter