Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sendFundsToUser() does not verify that the user has deposited anything #164

Closed
code423n4 opened this issue Mar 16, 2022 · 3 comments
Closed

sendFundsToUser() does not verify that the user has deposited anything #164

code423n4 opened this issue Mar 16, 2022 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-03-biconomy/blob/db8a1fdddd02e8cc209a4c73ffbb3de210e4a81a/contracts/hyphen/LiquidityPool.sol#L361-L370

Vulnerability details

Impact

Users can request arbitrary amounts when requesting funds from the executor, because the deposit hash is not checked against actual deposits. The user can be the executor him/herself if they wish to rug-pull directly.

Proof of Concept

    function sendFundsToUser(
        address tokenAddress,
        uint256 amount,
        address payable receiver,
        bytes memory depositHash,
        uint256 tokenGasPrice,
        uint256 fromChainId
    ) external nonReentrant onlyExecutor tokenChecks(tokenAddress) whenNotPaused {
        uint256 initialGas = gasleft();
        require(
            tokenManager.getTransferConfig(tokenAddress).min <= amount &&
                tokenManager.getTransferConfig(tokenAddress).max >= amount,
            "Withdraw amnt not in Cap limits"
        );
        require(receiver != address(0), "Bad receiver address");

        (bytes32 hashSendTransaction, bool status) = checkHashStatus(tokenAddress, amount, receiver, depositHash);

        require(!status, "Already Processed");
        processedHash[hashSendTransaction] = true;

https://github.com/code-423n4/2022-03-biconomy/blob/db8a1fdddd02e8cc209a4c73ffbb3de210e4a81a/contracts/hyphen/LiquidityPool.sol#L263-L282

    function checkHashStatus(
        address tokenAddress,
        uint256 amount,
        address payable receiver,
        bytes memory depositHash
    ) public view returns (bytes32 hashSendTransaction, bool status) {
        hashSendTransaction = keccak256(abi.encode(tokenAddress, amount, receiver, keccak256(depositHash)));

        status = processedHash[hashSendTransaction];
    }

https://github.com/code-423n4/2022-03-biconomy/blob/db8a1fdddd02e8cc209a4c73ffbb3de210e4a81a/contracts/hyphen/LiquidityPool.sol#L361-L370

Even if the executor is benevolent the fact that there is a rug vector available may negatively impact the protocol's reputation. See these examples where similar findings have been flagged as a high-severity issues.

Tools Used

Code inspection

Recommended Mitigation Steps

Store deposit hashes during deposit, and have checkHashStatus() require() that the hash exists
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Mar 16, 2022
code423n4 added a commit that referenced this issue Mar 16, 2022
@code423n4
IllIllI issue #164
524ab5c
@tomarsachin2271
Copy link
Collaborator

tomarsachin2271 commented Mar 26, 2022
edited
Loading

Current implementation of executor nodes is centralised and being an executor on ExecutorManager is not open to everyone. Biconomy runs the executor nodes, so there's trust assumption on executor nodes that it won't call sendFundsToUser method without any deposit transaction on source chain.
Building a trustless cross chain messaging is in the roadmap though.

@ankurdubey521 ankurdubey521 added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Mar 30, 2022
@pauliax
Copy link
Collaborator

pauliax commented Apr 28, 2022

#80 (comment)

@pauliax pauliax closed this as completed Apr 28, 2022
@pauliax pauliax added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value duplicate This issue or pull request already exists and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Apr 28, 2022
@pauliax
Copy link
Collaborator

pauliax commented May 18, 2022
edited
Loading

Grouping this together with a similar issue submitted by the same warden: #160

@pauliax pauliax added the invalid This doesn't seem right label May 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ankurdubey521 @pauliax @tomarsachin2271 @code423n4