Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 40/113
Findings: 2
Award: $85.03
🌟 Selected for report: 0
🚀 Solo Findings: 0
52.4591 USDC - $52.46
https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentBridgeExecutor.sol#L36 https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentBridgeExecutor.sol#L44 https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentBridgeExecutor.sol#L63
Due to the address alias mechanism of L2, the contract address on L2 is different from that on L1. Direct fallback to the L1 address will result in loss of funds.
Unlike UTBExecutor, DecentBridgeExecutor does not support specifying a refund address, but directly returns funds to from address.
The from address is the address which initiates cross-chain transactions, which may be EOA or any contract address.
Due to the address alias mechanism of L2, the contract address on L2 is different from L1. Therefore, if from is a contract and initiates an ETH -> OP transaction, the refund funds will be sent to the L1 address of from, but L1 from address cannot control the address on L2, resulting in Lost funds.
Manual review
Funds should be returned to the specified refund address, not the from address
Context
#0 - c4-pre-sort
2024-01-24T01:04:22Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-01-24T01:04:36Z
raymondfam marked the issue as duplicate of #27
#2 - alex-ppg
2024-02-02T17:28:24Z
The submission fails to identify the "primary" attack vector due to UTB and contains a very brief description focusing on L1 to L2 differences of addresses rather than the actual vulnerability at hand.
#3 - c4-judge
2024-02-02T17:28:28Z
alex-ppg marked the issue as partial-50
32.5727 USDC - $32.57
DecentBridgeAdapter will receive the refund but does not provide a method for withdrawal, which will cause the funds of the failed call to be permanently lost.
The call chain is: DecentBridgeAdapter -> DecentEthRouter -> lzSend.
When DecentEthRouter calls lzSend, the refund address is hard-coded as msg.sender, which is DecentBridgeAdapter.
And DecentBridgeAdapter does not provide a method for withdrawal, so the returned funds will be permanently lost.
Manual review
DecentEthRouter should add a refund parameter to allow DecentBridgeAdapter to specify the refund address when calling
Context
#0 - c4-pre-sort
2024-01-24T00:57:02Z
raymondfam marked the issue as insufficient quality report
#1 - raymondfam
2024-01-24T00:59:38Z
Insufficient proof, albeit with glimpses of facts mirroring #27.
#2 - c4-pre-sort
2024-01-24T00:59:47Z
raymondfam marked the issue as duplicate of #27
#3 - c4-judge
2024-02-02T16:57:15Z
alex-ppg marked the issue as not a duplicate
#4 - c4-judge
2024-02-02T16:58:53Z
alex-ppg marked the issue as duplicate of #262
#5 - c4-judge
2024-02-02T17:03:47Z
alex-ppg marked the issue as partial-75
#6 - c4-judge
2024-02-04T23:04:25Z
alex-ppg changed the severity to 2 (Med Risk)