stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

CCIP Security Best Practices in `WrappedTokenBridge` Contract

naruto

Summary

Referring to the CCIP best practices: https://docs.chain.link/ccip/best-practices and CCIP Transfer Tokens With Data example: https://docs.chain.link/ccip/tutorials/programmable-token-transfers

The WrappedTokenBridge contract is lacking the following security mechanisms:

Verify destination chain.
Verify source chain and sender: An attacker can impersonate a CCIP message on any chain along with an arbitrary amount of virtual tokens. The destination chain will receive the message and transfer real tokens to the attacker.

Vulnerability Details

The _transferTokens() function does not check the destination chain, allowing users to unintentionally transfer tokens to the wrong chain and lose them.
The _ccipReceive() function lacks necessary verifications: whether the CCIP message is from a trusted chain and if the sender is the address of the WrappedTokenBridge from the source chain or not.

Recommendations

Consider adding extraArgs and setting a gasLimit.
The _transferTokens() function should check whether the given destinationChainSelector is allowlisted.
The _ccipReceive() function should verify whether the source chain and the sender are allowlisted.

Below is an example of verifying the sender from the source chain within the SDLPoolCCIPControllerPrimary contract:

function _verifyCCIPSender(Client.Any2EVMMessage memory _message) internal view override {

address sender = abi.decode(_message.sender, (address));

uint64 sourceChainSelector = _message.sourceChainSelector;

if (sender != whitelistedDestinations[sourceChainSelector]) revert SenderNotAuthorized();

}

Updates

Lead Judging Commences

0kage Lead Judge

almost 2 years ago

0kage Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

naruto Submitter

almost 2 years ago

naruto Submitter

almost 2 years ago

0kage Lead Judge

almost 2 years ago

0kage Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

hardcode-extraArgs

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.