stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: low
Valid

CCIP Security Best Practices in `WrappedTokenBridge` Contract

Summary

Referring to the CCIP best practices: https://docs.chain.link/ccip/best-practices and CCIP Transfer Tokens With Data example: https://docs.chain.link/ccip/tutorials/programmable-token-transfers

The WrappedTokenBridge contract is lacking the following security mechanisms:

  • Verify destination chain.

  • Verify source chain and sender: An attacker can impersonate a CCIP message on any chain along with an arbitrary amount of virtual tokens. The destination chain will receive the message and transfer real tokens to the attacker.

Vulnerability Details

  • The _transferTokens() function does not check the destination chain, allowing users to unintentionally transfer tokens to the wrong chain and lose them.

  • The _ccipReceive() function lacks necessary verifications: whether the CCIP message is from a trusted chain and if the sender is the address of the WrappedTokenBridge from the source chain or not.

Recommendations

  • Consider adding extraArgs and setting a gasLimit.

  • The _transferTokens() function should check whether the given destinationChainSelector is allowlisted.

  • The _ccipReceive() function should verify whether the source chain and the sender are allowlisted.

Below is an example of verifying the sender from the source chain within the SDLPoolCCIPControllerPrimary contract:

function _verifyCCIPSender(Client.Any2EVMMessage memory _message) internal view override {
address sender = abi.decode(_message.sender, (address));
uint64 sourceChainSelector = _message.sourceChainSelector;
if (sender != whitelistedDestinations[sourceChainSelector]) revert SenderNotAuthorized();
}
Updates

Lead Judging Commences

0kage Lead Judge
over 1 year ago
0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
naruto Submitter
over 1 year ago
naruto Submitter
over 1 year ago
0kage Lead Judge
over 1 year ago
0kage Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

hardcode-extraArgs

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.