MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

If the user is using a multisig wallet, the MOR token rewards might be lost

0xg0p1

Summary

If a user utilizes a multisig wallet for staking and, upon claiming the rewards, does not receive the MOR tokens in the ARB network, it could be because the multisig with the same address might not be controlled by the same users as in ETH. Consequently, the user may incur a loss of rewards.

Vulnerability Details

Let's consider a scenario where Alice is the owner of a Gnosis Safe or any other Multisig wallet with the address 0xabc, for example, on the Ethereum (ETH) network. Alice, utilizing her multisig wallet, has staked some stEth in the protocol. After a certain period, Alice decides to claim the rewards. However, due to a flaw in the code logic, and Alice not owning the multisig with the same address (0xabc) on the Arbitrum (ARB) network, she will not receive the MOR tokens in the ARB network. The multisig wallet at address 0xabc might be controlled by another user, or an attacker could deploy a multisig wallet at this address to steal the MOR tokens intended for Alice. This situation could lead to Alice losing her funds.

Let's examine the vulnerability in the code:

function claim(uint256 poolId_, address user_) external payable poolExists(poolId_) {

// ... (omitted for brevity)

// Transfer rewards

L1Sender(l1Sender).sendMintMessage{value: msg.value}(user_, pendingRewards_, _msgSender());

emit UserClaimed(poolId_, user_, pendingRewards_);

}

In the code above, to claim rewards, one must provide the user_ address. The function fetches the amount of pending rewards for the user_ and calls the L1Sender's sendMintMessage function.

bytes memory payload_ = abi.encode(user_, amount_);

ILayerZeroEndpoint(config.gateway).send{value: msg.value}(

// ... (omitted for brevity)

payload_, // bytes payload

payable(refundTo_), // refund address

address(0x0), // future parameter

bytes("") // adapterParams (see "Advanced Features")

);

In the above code snippet, the payload is encoded with the user_ address and the amount_ (Alice's pending rewards). The LayerZero Endpoint is then called to send a cross-chain message to the Arbitrum (ARB) network.

In the ARB network, the payload is received by the L2MessageReceiver.sol contract:

(address user_, uint256 amount_) = abi.decode(payload_, (address, uint256));

IMOR(rewardToken).mint(user_, amount_);

The _nonblockingLzReceive function decodes the payload sent in the ETH network and mints MOR tokens to the 0xabc address in the Arbitrum (ARB). However, since Alice does not own the multisig with the address 0xabc in the ARB network, and the 0xabc address multisig might be controlled by other users or a malicious attacker, there is a risk that the rewards intended for Alice could be claimed by someone else.

As explained in detail on https://rekt.news/wintermute-rekt/, it is possible to gain control of the same address for contract accounts in a different chain; especially for those contract accounts that are deployed using the Gnosis Safe contracts:

Impact

The attacker has the capability to gain control of the multisig wallet in the ARB network, allowing them to pilfer the MOR tokens. This, in turn, leads to a loss of funds for the user.

Tools Used

Manual Review

Recommendations

To address the issue and ensure that users using multisig wallets receive rewards to the specific address they specified in the ARB network, you can consider adding the following functionality to your code:

function claim(uint256 poolId_, address user_, address arbAddress_) external payable poolExists(poolId_) {

// ... (existing code)

// Transfer rewards to the specified ARB address

L1Sender(l1Sender).sendMintMessage{value: msg.value}(arbAddress_, pendingRewards_, _msgSender());

emit UserClaimed(poolId_, user_, arbAddress_, pendingRewards_);

}

In this modified function, an additional parameter arbAddress_ is introduced, representing the specific ARB address where the user wants to receive the MOR tokens.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Users that interact through smart contracts, account abstaction or multisig wallets lose all rewards because they are not the owners of the same addresses on L2

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.