Decent - zaevlad's results

Lines of code

https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DcntEth.sol#L20

Vulnerability details

Impact

Malicious user can manipulate a router address.

Proof of Concept

DcntEth contract is used for setting up router address that controls minting and burning DcntEth tokens. This functions is not protected and can be called by any user:

    function setRouter(address _router) public {
        router = _router;
    }

So malicious user can set his router and mint as much tokens as he need to harm the protocol.

Tools Used

Manual review

Recommended Mitigation Steps

Protec the func with onlyOwner modifier

Assessed type

Invalid Validation

Lines of code

https://github.com/code-423n4/2024-01-decent/blob/main/src/bridge_adapters/DecentBridgeAdapter.sol#L117 https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DecentEthRouter.sol#L171 https://github.com/code-423n4/2024-01-decent/blob/main/src/UTB.sol#L289

Vulnerability details

Impact

Some Ether can stuck in the contract as there is no option to withdraw it.

Proof of Concept

When user wants to use token transfer to another chain he uses bridgeAndExecute in the UTB contract, that forwards a call to a bridge() in the adapter contract, such as DecentBridgeAdapter.

    function bridge(
        uint256 amt2Bridge,
        SwapInstructions memory postBridge,
        uint256 dstChainId,
        address target,
        address paymentOperator,
        bytes memory payload,
        bytes calldata additionalArgs,
        address payable refund
    ) public payable onlyUtb returns (bytes memory bridgePayload) {
        ...
        router.bridgeWithPayload{value: msg.value}(
            lzIdLookup[dstChainId],
            destinationBridgeAdapter[dstChainId],
            swapParams.amountIn,
            false,
            dstGas,
            bridgePayload
        );
    }

Later it pass data to the Router contract to bridgeWithPayload():

    function _bridgeWithPayload(
        uint8 msgType,
        uint16 _dstChainId,
        address _toAddress,
        uint _amount,
        uint64 _dstGasForCall,
        bytes memory additionalPayload,
        bool deliverEth
    ) internal {
        (
            bytes32 destinationBridge,
            bytes memory adapterParams,
            bytes memory payload
        ) = _getCallParams(
                msgType,
                _toAddress,
                _dstChainId,
                _dstGasForCall,
                deliverEth,
                additionalPayload
            );

        ICommonOFT.LzCallParams memory callParams = ICommonOFT.LzCallParams({
@>          refundAddress: payable(msg.sender), // DecentBridgeAdapter
            zroPaymentAddress: address(0x0),
            adapterParams: adapterParams
        });

        uint gasValue;
        if (gasCurrencyIsEth) {
            weth.deposit{value: _amount}();
            gasValue = msg.value - _amount;
        } else {
            weth.transferFrom(msg.sender, address(this), _amount);
            gasValue = msg.value;
        }

        dcntEth.sendAndCall{value: gasValue}(
            address(this), // from address that has dcntEth (so DecentRouter)
            _dstChainId,
            destinationBridge, // toAddress
            _amount, // amount
            payload, //payload (will have recipients address)
            _dstGasForCall, // dstGasForCall
            callParams // refundAddress, zroPaymentAddress, adapterParams
        );
    }

Here we have refundAddress: payable(msg.sender), that assumed that Adaper (it is a msg.sender) can accept refunds for a call in native token.

In case of refunds there can be a situation where Adapter collet refunds that admin will not be able to withdraw.

Tools Used

Manual review

Recommended Mitigation Steps

Provide a functions to withdraw refund ethers from the Adapter.

Assessed type

ETH-Transfer