Platform: Code4rena
Start Date: 22/09/2023
Pot Size: $100,000 USDC
Total HM: 15
Participants: 175
Period: 14 days
Judge: alcueca
Total Solo HM: 4
Id: 287
League: ETH
Rank: 108/175
Findings: 1
Award: $25.68
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
Also found by: 0xAadi, 0xDING99YA, 0xDemon, 0xRstStn, 0xSmartContract, 0xStriker, 0xWaitress, 0xbrett8571, 0xfuje, 0xsagetony, 0xsurena, 33BYTEZZZ, 3docSec, 7ashraf, ABA, ABAIKUNANBAEV, Aamir, Audinarey, Bauchibred, Black_Box_DD, Daniel526, DanielArmstrong, DanielTan_MetaTrust, Dinesh11G, Eurovickk, Franklin, Inspecktor, John, Jorgect, Joshuajee, K42, Kek, Koolex, LokiThe5th, MIQUINHO, Myd, NoTechBG, QiuhaoLi, SanketKogekar, Sathish9098, Sentry, Soul22, SovaSlava, Stormreckson, Tendency, Topmark, Udsen, V1235816, Viktor_Cortess, Viraz, Yanchuan, ZdravkoHr, Zims, albahaca, albertwh1te, alexweb3, alexxander, ast3ros, audityourcontracts, bareli, bin2chen, bronze_pickaxe, c0pp3rscr3w3r, cartlex_, castle_chain, chaduke, debo, ether_sky, gumgumzum, imare, its_basu, jaraxxus, jasonxiale, josephdara, kodyvim, ladboy233, lanrebayode77, lsaudit, mert_eren, minhtrng, n1punp, nadin, niroh, nmirchev8, orion, peakbolt, perseverancesuccess, pfapostol, ptsanev, rvierdiiev, saneryee, shaflow2, te_aut, terrancrypt, twcctop, unsafesol, ustas, versiyonbir, windhustler, yongskiws, zhaojie, ziyou-
25.6785 USDC - $25.68
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L832 https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L354
The transaction to the retryDeposit function can get reverted.
When the user call callOutAndBridge function, user can choose value of _refundee as the address to return excess gas deposited in msg.value to.
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L210
The callOutAndBridge will call _createDeposit to move assets from branch chain to root and create deposit data for user. in the deposit data, contract is using _refundee value as owner of deposit transaction / data.
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L832
Now if the user needs to retry the deposit transaction The deposit that is already created, the user should call retryDeposit function. in this function, first, contract check if deposit belongs to message sender. if MSG.SENDER is the owner of the deposit, it's ok, else the transaction will get reverted.
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L354
Now in the callOutAndBridge, if the user uses another address as _refundee value, the owner of the deposit transaction will be another address, and the user is not able to use retryDeposit function for the deposit transaction in future.
Manually
I think best option is to use msg.sender as the owner of deposit.
https://github.com/code-423n4/2023-05-maia/blob/1a95ffeaa057f14e6f317f7c3af84def2db16309/src/ulysses-omnichain/BranchBridgeAgent.sol#L264
Other
#0 - c4-pre-sort
2023-10-11T12:40:20Z
0xA5DF marked the issue as duplicate of #858
#1 - c4-pre-sort
2023-10-11T12:40:25Z
0xA5DF marked the issue as sufficient quality report
#2 - c4-judge
2023-10-26T06:12:58Z
alcueca changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-10-26T06:15:05Z
alcueca marked the issue as grade-a
#4 - alcueca
2023-10-26T06:15:29Z
Documentation issue, the _refundee is actually the deposit owner if the caller decides that it should be anyone else.