Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 45/113
Findings: 2
Award: $52.58
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.1172 USDC - $0.12
A possible attack scenario to steal all WETH available in DecentEthRouter contract could look like:
router address to his own EOA.Manual review.
Ensure that the function setRouter can only be called by authorized roles, e.g. by adding the onlyOwner modifier.
Access Control
#0 - c4-pre-sort
2024-01-24T06:20:20Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-24T06:20:26Z
raymondfam marked the issue as duplicate of #14
#2 - c4-judge
2024-02-03T13:24:08Z
alex-ppg marked the issue as satisfactory
52.4591 USDC - $52.46
https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentBridgeExecutor.sol#L36 https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentBridgeExecutor.sol#L44 https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentBridgeExecutor.sol#L63
Locked ETH/WETH
The LayerZero solution enables trustless inter-chain transactions with the objective of connecting various blockchain networks. Its aim extends beyond supporting only EVM-compatible chains, allowing the sender of a transaction to be any chain supported by LayerZero.
In the fallback scenarios (#1, #2, and #3), the DecentBridgeExecutor contract sends WETH or ETH to the 'from' address, representing the sender's address on the chain where the transaction originated.
The 'from' address receiving ETH/WETH may not be under the control of the sender, for example in cases where non-EVM chains are the source of the transaction or smart contract not existing in the destination's chain.
The executor contract is invoked by the DecentEthRouter when an onOFTReceived is triggered, typically upon receiving a dcntEth OFTv2.
Manual review.
Consider not sending WETH/ETH to the from address in a fallback scenario.
Other
#0 - c4-pre-sort
2024-01-24T08:09:21Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-01-24T08:09:31Z
raymondfam marked the issue as duplicate of #27
#2 - alex-ppg
2024-02-02T17:25:41Z
The submission does not detail the vulnerability in length and additionally misses the fact that the address will be incorrect in all normal usage operations as the primary submission details.
#3 - c4-judge
2024-02-02T17:25:45Z
alex-ppg marked the issue as partial-50
#4 - c4-judge
2024-02-04T23:04:02Z
alex-ppg changed the severity to 3 (High Risk)