Back to 0xsanson's contests

Connext contest - 0xsanson's results

The interoperability protocol of L2 Ethereum.

General Information

Platform: Code4rena

Start Date: 09/07/2021

Pot Size: $25,000 USDC

Total HM: 7

Participants: 10

Period: 3 days

Judge: ghoulsol

Total Solo HM: 2

Id: 19

League: ETH

Connext

Findings Distribution

Researcher Performance

Rank: 6/10

Findings: 2

Award: $744.70

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryConnext

Findings Information

🌟 Selected for report: pauliax

Also found by: 0xsanson, cmichel, shw

Labels

bug
duplicate
3 (High Risk)
sponsor confirmed

Awards

744.703 USDC - $744.70

External Links

Link to GitHub issue

Handle

0xsanson

Vulnerability details

Impact

User and router can collude to exploit the contract and steal funds (any erc20 tokens) in the following way. They can set the callTo to an exploit contract that can call the receivingAssetId.transferFrom function. The logic in the fulfill function approves the token to callTo, without "dis-approving" in the case of sending transaction directly (in the case of error in the try-catch block). After both user and router have fulfilled, they can call the exploiter contract that steals an amount of funds from TransactionManager in the receiving chain.

Proof of Concept

https://github.com/code-423n4/2021-07-connext/blob/main/contracts/TransactionManager.sol#L388

(I can provide exploiter contract and js test file if necessary)

Tools Used

Manual Analysis

If the tokens are transferred directly, the tokens must be dis-approved.

#0 - LayneHaber

2021-07-12T19:37:56Z

#31

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter