MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

All reward MOR tokens will be lost for the users using the account abstraction wallet

dentonylifer

Summary

All reward MOR tokens will be lost for the users using the account abstraction wallet.

Vulnerability Details

The "Distribution.stake" function when user depositing stETH creates a new or updates an old position, and uses the "msg.sender" address to identify the user's position in the pool:

_stake(_msgSender(), poolId_, amount_, _getCurrentPoolRate(poolId_));

Then the user wants to claim rewards and he calls in Ethereum chain "Distribution.claim" function, that also calls "L1Sender(l1Sender).sendMintMessage()" function, that construct the payload as follow:

L1Sender(l1Sender).sendMintMessage{value: msg.value}(user_, pendingRewards_, _msgSender());

function sendMintMessage(address user_, uint256 amount_, address refundTo_) external payable onlyDistribution {

//...

>>>bytes memory payload_ = abi.encode(user_, amount_);

ILayerZeroEndpoint(config.gateway).send{value: msg.value}(

config.receiverChainId, // communicator LayerZero chainId

receiverAndSenderAddresses_, // send to this address to the communicator

>>>payload_, // bytes payload

payable(refundTo_), // refund address

address(0x0), // future parameter

bytes("") // adapterParams (see "Advanced Features")

);

}

Here we can see the payload passes "user_" as receiving address on other chain assuming that user have same address on Arbitrum chain, which is not the case if user is using the account abstraction wallet. On destination chain same person will not be the owner of that address, and hence tokens are permanently lost.

Impact

If someone using account abstraction wallet to claim rewards, MOR tokens will be minted to wrong address and lost permanently.

Tools Used

Manual review.

Recommendations

Give the user to pass in the address the tokens should be minted to on the Arbitrum chain. Also add check that "msg.sender == user_" to awoid stealing rewards.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Users that interact through smart contracts, account abstaction or multisig wallets lose all rewards because they are not the owners of the same addresses on L2

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.