Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 43/113
Findings: 3
Award: $75.65
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.1172 USDC - $0.12
The setRouter() function should only be called by the owner of the DcntEth contract. However, the onlyOwner() modifier is missing, and access is not restricted, allowing anyone to change the router address and consequently mint any amount of DcntEth tokens.
All WETH and ETH stored in the DecentEthRouter contract can be extracted by redeeming DcntEth tokens for WETH or ETH from it.
setRouter() function to update the router to an address they control.mint() function with the onlyRouter() access control modifier, the attacker mints the desired amount of DcntEth tokens.redeemEth() and redeemWeth() functions in the DecentEthRouter contract, the attacker extracts all ETH and WETH from it.Update setRouter() function with onlyOwner() modifier in the DcntEth contract.
- function setRouter(address _router) public { + function setRouter(address _router) public onlyOwner {
Access Control
#0 - c4-pre-sort
2024-01-24T23:18:07Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-24T23:18:14Z
raymondfam marked the issue as duplicate of #14
#2 - c4-judge
2024-02-03T13:13:35Z
alex-ppg marked the issue as satisfactory
52.4591 USDC - $52.46
https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentEthRouter.sol#L105 https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentEthRouter.sol#L245 https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentEthRouter.sol#L280 https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentBridgeExecutor.sol#L36 https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentBridgeExecutor.sol#L44 https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentBridgeExecutor.sol#L63
When the bridge operation is initiated, the _from address is encoded from msg.sender, which can be the DecentBridgeAdapter contract address on the source chain.
In a situation where, on the destination chain, if the bridged msgType was MT_ETH_TRANSFER_WITH_PAYLOAD, a scenario can occur where, during the execution of the execute() function of the DecentBridgeExecutor contract, the .call() low-level function will revert for any reason, causing the DecentBridgeExecutor contract to refund the bridged funds back to the _from address.
In a case where the Decent protocol has no access to the _from address (due to different deployment addresses with no way to deploy to it), the funds will be locked.
WETH to the destination chain with the swap payload for the destination chain to be performed with a low slippage setting.DecentBridgeAdapter contract on the destination chain is deployed on a different address than on the source chain._executeWeth() function, the target.call(callPayload) low-level call is made to the DecentBridgeAdapter destination chain contract.DecentBridgeExecutor are refunded to the _from address that the Decent protocol has no control over, resulting in the funds being locked.The _from address should be predefined by the Owner on each chain for each destination chain, so that the refund is made to the addresses controlled by the Decent protocol and from there to the original user.
Other
#0 - c4-pre-sort
2024-01-24T23:24:40Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-24T23:24:57Z
raymondfam marked the issue as duplicate of #27
#2 - alex-ppg
2024-02-02T17:24:13Z
The submission misses the crux of the vulnerability; Decent being able to deploy a smart contract on the various L2 chains with the same address as the original router will still not resolve the issue as the router is not equipped to handle funds. This particular vulnerability is that the from_ address is outright incorrect and should be the user themselves.
#3 - c4-judge
2024-02-02T17:24:17Z
alex-ppg marked the issue as partial-50
#4 - c4-judge
2024-02-04T23:04:02Z
alex-ppg changed the severity to 3 (High Risk)
23.067 USDC - $23.07
https://github.com/code-423n4/2024-01-decent/blob/main/src/UTB.sol#L115 https://github.com/code-423n4/2024-01-decent/blob/main/src/UTB.sol#L317
It is stated in the documentation that the protocol charges fees for transactions that require a bridge or a swap. In UTB contract those are swapAndExecute() and bridgeAndExecute().
As there is no access control protection, any user can use receiveFromBridge() function as a replacement for the swapAndExecute() function without the need to pay any fees.
The protocol will collect fewer fees than expected.
swapAndExecute() function and uses them in the receiveFromBridge() function.Add access control mechanism to receiveFromBridge() as it is intended to be used only when called by the BridgeAdapter.
Access Control
#0 - c4-pre-sort
2024-01-25T00:05:25Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-25T00:06:09Z
raymondfam marked the issue as duplicate of #15
#2 - alex-ppg
2024-02-03T12:18:58Z
The submission is correct but its comparative quality is lower and it would be unfair to other wardens who have put more effort in their submissions to be identically awarded.
I am torn between 75% and 100% and will revise to 75% if needed after grading the other submissions.
#3 - c4-judge
2024-02-03T12:19:03Z
alex-ppg marked the issue as partial-75
#4 - c4-judge
2024-02-03T12:20:40Z
alex-ppg marked the issue as satisfactory