Back to lsaudit's contests

Ondo Finance - lsaudit's results

Institutional-Grade Finance. On-Chain. For Everyone.

General Information

Platform: Code4rena

Start Date: 01/09/2023

Pot Size: $36,500 USDC

Total HM: 4

Participants: 70

Period: 6 days

Judge: kirk-baird

Id: 281

League: ETH

Ondo Finance

Findings Distribution

Researcher Performance

Rank: 3/70

Findings: 1

Award: $2,743.01

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOndo Finance

Findings Information

🌟 Selected for report: adriro

Also found by: gkrastenov, lsaudit

Labels

bug
2 (Med Risk)
low quality report
satisfactory
duplicate-444

Awards

2743.0149 USDC - $2,743.01

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/bridge/DestinationBridge.sol#L234-L240

Vulnerability details

Impact

DestinationBridge does not implement a function which removes supported chain. Whenever chain becomes compromised, it is not possible to remove it from chainToApprovedSender.

Proof of Concept

DestinationBridge does not implement any function which allows to remove previously added chain. If chain becomes compromised, there's no way to remove it.

Since there aren't any additional function which removes previously added chain, the only reasonable solution for removing the chain would be calling function addChainSupport() again and overwrite the chain with bytes32(0). That way, function _execute() will see that chain as non-existing one and will revert with ChainNotSupported():

File: contracts/bridge/DestinationBridge.sol

96:    if (chainToApprovedSender[srcChain] == bytes32(0)) {
97:      revert ChainNotSupported();

However, this is impossible, since addChainSupport() does not allow to set chainToApprovedSender[srcChain] to bytes32(0).

File: contracts/bridge/DestinationBridge.sol

  function addChainSupport(
    string calldata srcChain,
    string calldata srcContractAddress
  ) external onlyOwner {
    chainToApprovedSender[srcChain] = keccak256(abi.encode(srcContractAddress));
    emit ChainIdSupported(srcChain, srcContractAddress);
  }

At line 238, chainToApprovedSender[srcChain] is set to value of keccak256(abi.encode(srcContractAddress)). It is not possible to set any srcContractAddress, for which keccak256(abi.encode(srcContractAddress)) will return bytes32(0). Thus calling addChainSupport() on existing chain, we can only change its address, but never remove it.

This proves, that contract does not implement any method to completely remove previously added chain.

Tools Used

Manual code review

Implement additional function which allows to remove previously added chain. This function should perform delete chainToApprovedSender[srcChain].

Assessed type

Other

#0 - c4-pre-sort

2023-09-08T16:32:11Z

raymondfam marked the issue as low quality report

#1 - c4-pre-sort

2023-09-08T16:32:21Z

raymondfam marked the issue as duplicate of #467

#2 - c4-judge

2023-09-19T10:18:44Z

kirk-baird marked the issue as unsatisfactory: Invalid

#3 - c4-judge

2023-09-27T00:53:45Z

kirk-baird marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter