Platform: Code4rena
Start Date: 22/09/2023
Pot Size: $100,000 USDC
Total HM: 15
Participants: 175
Period: 14 days
Judge: alcueca
Total Solo HM: 4
Id: 287
League: ETH
Rank: 102/175
Findings: 1
Award: $25.68
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
Also found by: 0xAadi, 0xDING99YA, 0xDemon, 0xRstStn, 0xSmartContract, 0xStriker, 0xWaitress, 0xbrett8571, 0xfuje, 0xsagetony, 0xsurena, 33BYTEZZZ, 3docSec, 7ashraf, ABA, ABAIKUNANBAEV, Aamir, Audinarey, Bauchibred, Black_Box_DD, Daniel526, DanielArmstrong, DanielTan_MetaTrust, Dinesh11G, Eurovickk, Franklin, Inspecktor, John, Jorgect, Joshuajee, K42, Kek, Koolex, LokiThe5th, MIQUINHO, Myd, NoTechBG, QiuhaoLi, SanketKogekar, Sathish9098, Sentry, Soul22, SovaSlava, Stormreckson, Tendency, Topmark, Udsen, V1235816, Viktor_Cortess, Viraz, Yanchuan, ZdravkoHr, Zims, albahaca, albertwh1te, alexweb3, alexxander, ast3ros, audityourcontracts, bareli, bin2chen, bronze_pickaxe, c0pp3rscr3w3r, cartlex_, castle_chain, chaduke, debo, ether_sky, gumgumzum, imare, its_basu, jaraxxus, jasonxiale, josephdara, kodyvim, ladboy233, lanrebayode77, lsaudit, mert_eren, minhtrng, n1punp, nadin, niroh, nmirchev8, orion, peakbolt, perseverancesuccess, pfapostol, ptsanev, rvierdiiev, saneryee, shaflow2, te_aut, terrancrypt, twcctop, unsafesol, ustas, versiyonbir, windhustler, yongskiws, zhaojie, ziyou-
25.6785 USDC - $25.68
https://github.com/code-423n4/2023-09-maia/blob/main/src/ArbitrumCoreBranchRouter.sol#L168
The router in Arbitrum branch is not upgradable at all, even when the router has serious problem or has necessity of upgrade.
The executeNoSettlement function of CoreBranchRouter can change coreBranchRouterAddress of BranchPort.
But the overrided executeNoSettlement function of ArbitrumCoreBranchRouter cannot change coreBranchRouterAddress of BranchPort. As a result, there is no way to change router in Arbitrum branch.
CoreBranchRouter.sol#140-146 call setCoreBranchRouter function of BranchPort and change coreBranchRouterAddress of it in the case of _params[0] == 0x07.
} else if (_params[0] == 0x07) { (address coreBranchRouter, address coreBranchBridgeAgent) = abi.decode(_params[1:], (address, address)); IPort(localPortAddress).setCoreBranchRouter(coreBranchRouter, coreBranchBridgeAgent); /// Unrecognized Function Selector } else {
On the other hand, ArbitrumCoreBranchRouter.sol#162-170 does not process the case of _params[0] == 0x07 and revert.
} else if (_data[0] == 0x06) { (address portStrategy, address underlyingToken, uint256 dailyManagementLimit, bool isUpdateDailyLimit) = abi.decode(_data[1:], (address, address, uint256, bool)); _managePortStrategy(portStrategy, underlyingToken, dailyManagementLimit, isUpdateDailyLimit); /// Unrecognized Function Selector } else { revert UnrecognizedFunctionId(); }
As a result, there is no way to change router in Arbitrum branch.
Mannual Review
Insert code into ArbitrumCoreBranchRouter.sol#162 as follows.
} else if (_data[0] == 0x06) { (address portStrategy, address underlyingToken, uint256 dailyManagementLimit, bool isUpdateDailyLimit) = abi.decode(_data[1:], (address, address, uint256, bool)); _managePortStrategy(portStrategy, underlyingToken, dailyManagementLimit, isUpdateDailyLimit); /// _setCoreBranchRouter } else if (_params[0] == 0x07) { (address coreBranchRouter, address coreBranchBridgeAgent) = abi.decode(_params[1:], (address, address)); IPort(localPortAddress).setCoreBranchRouter(coreBranchRouter, coreBranchBridgeAgent); /// Unrecognized Function Selector } else { revert UnrecognizedFunctionId(); }
Error
#0 - c4-pre-sort
2023-10-14T10:42:35Z
0xA5DF marked the issue as low quality report
#1 - 0xA5DF
2023-10-14T10:42:38Z
The router in Arbitrum branch is not upgradable at all, even when the router has serious problem or has necessity of upgrade.
QA
#2 - c4-judge
2023-10-23T09:35:41Z
alcueca changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-10-23T09:35:46Z
alcueca marked the issue as grade-a