Maia DAO - Ulysses - wangxx2026's results

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgent.sol#L1204-L1217 https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L936-L944

Vulnerability details

Impact

lzreceive is not working properly

Proof of Concept

The entire link to interact with lz is: bridgeAgent.lz.send->validateTransactionProof (off-chain service)->lz.receivePayload->bridgeAgent.lzReceive

The second parameter calldata _srcAddress received by lzReceive is passed by lz:

bytes memory pathData = abi.encodePacked(_packet.srcAddress, _packet.dstAddress); // msg.sender is stored in the first 20 bytes, 

For details, please refer to the source code of lz

https://arbiscan.io/address/0x4D73AdB72bC3DD368966edD0f0b2148401A178E2#code

You can also refer to the mock version https://github.com/LayerZero-Labs/solidity-examples/blob/main/contracts/lzApp/mocks/LZEndpointMock.sol

The usage in the code is as follows // found

    function _requiresEndpoint(address _endpoint, bytes calldata _srcAddress) internal view virtual {
        //Verify Endpoint
        if (msg.sender != address(this)) revert LayerZeroUnauthorizedEndpoint();
        if (_endpoint != lzEndpointAddress) revert LayerZeroUnauthorizedEndpoint();

        //Verify Remote Caller
        if (_srcAddress.length != 40) revert LayerZeroUnauthorizedCaller();
        if (rootBridgeAgentAddress != address(uint160(bytes20(_srcAddress[20:])))) revert LayerZeroUnauthorizedCaller(); // found
    }

The last 20 bytes obtained from _srcAddress are dstAddr, and here we want to limit the caller, so we should get the first 20 bytes.

Tools Used

Manual Review

Recommended Mitigation Steps

Get msg.sender using first 20 bytes of _srcAddress

Assessed type

Access Control