Back to jayjonah8's contests

Connext Amarok contest - jayjonah8's results

The interoperability protocol of L2 Ethereum.

General Information

Platform: Code4rena

Start Date: 08/06/2022

Pot Size: $115,000 USDC

Total HM: 26

Participants: 72

Period: 11 days

Judge: leastwood

Total Solo HM: 14

Id: 132

League: ETH

Connext

Findings Distribution

Researcher Performance

Rank: 59/72

Findings: 1

Award: $141.86

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryConnext

Findings Information

🌟 Selected for report: BowTiedWardens

Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Chom, ElKu, Funen, IllIllI, JMukesh, Jujic, Kaiziron, Lambda, MiloTruck, Ruhum, SmartSek, SooYa, TerrierLover, TomJ, WatchPug, Waze, _Adam, asutorufos, auditor0517, bardamu, c3phas, catchup, cccz, ch13fd357r0y3r, cloudjunky, cmichel, cryptphi, csanuragjain, defsec, fatherOfBlocks, hansfriese, hyh, jayjonah8, joestakey, k, kenta, obtarian, oyc_109, robee, sach1r0, shenwilly, simon135, slywaters, sorrynotsorry, tintin, unforgiven, xiaoming90, zzzitron

Awards

141.8552 USDC - $141.86

Labels

bug
QA (Quality Assurance)
resolved
sponsor confirmed

External Links

Link to GitHub issue

Equality check with different uint sizes can cause failures

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/facets/BridgeFacet.sol#L283 https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/libraries/LibConnextStorage.sol#L146 https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/libraries/LibConnextStorage.sol#L41

Vulnerability details

Impact

In BridgeFacet.sol the xcall() function checks if _args.params.originDomain != s.domain and it will revert if these are not equal. The problem is that the originDomain is a uint32 and the s.domain is a uint256. This means that if the s.domain number is ever larger than the max value for a uint32 value, this function will fail every time because the originDomain could never reach a large enough number.

Proof of Concept

https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/facets/BridgeFacet.sol#L283

https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/libraries/LibConnextStorage.sol#L146

https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/libraries/LibConnextStorage.sol#L41

Tools Used

Manual code review

The _args.params.originDomain and the s.domain should both be the same uint type. They both should be either a uint32 or uint256 to avoid any possible failures due to numbers not being large enough.

#0 - jakekidd

2022-06-25T02:24:21Z

This is a QA issue - basically, it's possible for Owner to produce a bad configuration, using an invalid domain ID (official domain IDs are listed by Nomad and all conform to being uint32).

#1 - jakekidd

2022-06-26T23:27:51Z

Resolved by https://github.com/connext/nxtp/commit/912830f2061403d53142ced7184ddf058e0aa8eb

#2 - 0xleastwood

2022-08-15T00:24:06Z

I mean this isn't really an issue but a worthwhile QA for consistent equality checking.

#3 - 0xleastwood

2022-08-15T00:24:19Z

Downgrading to QA.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter