Back to SpicyMeatball's contests

Ondo Finance - SpicyMeatball's results

Institutional-Grade Finance. On-Chain. For Everyone.

General Information

Platform: Code4rena

Start Date: 01/09/2023

Pot Size: $36,500 USDC

Total HM: 4

Participants: 70

Period: 6 days

Judge: kirk-baird

Id: 281

League: ETH

Ondo Finance

Findings Distribution

Researcher Performance

Rank: 21/70

Findings: 1

Award: $265.68

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOndo Finance

Findings Information

🌟 Selected for report: Udsen

Also found by: 0xDING99YA, 0xpiken, Inspecktor, SpicyMeatball, adriro, ast3ros, bin2chen, bowtiedvirus, kutugu, pep7siup, seerether

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
sufficient quality report
edited-by-warden
duplicate-391

Awards

265.675 USDC - $265.68

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/bridge/SourceBridge.sol#L79 https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/bridge/DestinationBridge.sol#L108-L109 https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/bridge/DestinationBridge.sol#L137

Vulnerability details

Impact

In the DestinationBridge contract we can set multiple source chain bridges to receive payloads from

https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/bridge/DestinationBridge.sol#L234.

The problem is that we can have identical payloads from different chains, for example payload

bytes memory payload = abi.encode("1.0", alice, 10000, 1)

can be sent from Arbitrum and Optimism networks, and when executed will produce the same hash. This will result in inability to register payload from Optimism because bridge will attempt to approve the same hash twice.

Proof of Concept

Test case for forge-tests/bridges/DestinationBridge.t.sol

  function test_TxHashCollision() public {
    // send message from Arbitrum chain
    bytes memory payload = abi.encode(VERSION, alice, 100e18, 1);
    sendMessage(payload);
    // add new source chain
    string memory srcAddress = "0x9019295cA2dCdC4BCFf323b562e87FC922e34C32";
    string memory srcChain = "optimism";
    vm.prank(guardian);
    destinationBridge.addChainSupport(srcChain, srcAddress);
    assertEq(
      destinationBridge.chainToApprovedSender("optimism"),
      keccak256(abi.encode(srcAddress))
    );
    // send message from Optimism chain
    bytes32 cmdId = bytes32(
      0x9991faa1f435675159ffae64b66d7ecfdb55c29755869a18db8497b4392347e0
    );

    approve_message(
      cmdId,
      srcChain,
      srcAddress,
      address(destinationBridge),
      keccak256(payload)
    );
    // revert as bridge attempts to approve the same hash twice
    vm.expectRevert(DestinationBridge.AlreadyApproved.selector);
    destinationBridge.execute(cmdId, srcChain, srcAddress, payload);
  }

Tools Used

Forge

Add block.chainid parameter into the payload

https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/bridge/SourceBridge.sol#L79

Assessed type

Context

#0 - c4-pre-sort

2023-09-08T16:10:48Z

raymondfam marked the issue as duplicate of #162

#1 - c4-pre-sort

2023-09-08T16:10:53Z

raymondfam marked the issue as sufficient quality report

#2 - c4-judge

2023-09-17T06:46:04Z

kirk-baird marked the issue as satisfactory

#3 - c4-judge

2023-09-26T03:03:40Z

kirk-baird changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter