-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
An Attacker Can Exploit and Steal all Branch Bridge Agents Native Gas Deposits #528
Comments
0xA5DF marked the issue as duplicate of #785 |
0xA5DF marked the issue as sufficient quality report |
alcueca changed the severity to 2 (Med Risk) |
|
alcueca marked the issue as satisfactory |
Thanks for the great work ser. I messaged the sponsors about the former issue(#464 ), I initially thought it would be judged as a QA, so I had to come up with how it can be abused, I then submitted #529 and this, but both issues are currently tagged as one. I would also like to add that, I wrote this issue, having in mind that anyone can get the stored payload from the |
Upon closer inspection, this attack won't yield any profits to the attacker, as payloads (and their gas) won't be received when the endpoint is blocked. |
alcueca marked the issue as not a duplicate |
alcueca marked the issue as unsatisfactory: |
Thank you ser, I have seen my wrong |
Since the users gas tokens will be stuck with the relayer in the destination chains, |
Let's not go into a fishing expedition in here. This report was for a further attack that would yield significant additional damage over the DoS you already reported in #399. During such DoS, user gas remains in the relayer until the DoS is resolved. That is still the same DoS and the same impact, user transactions taking a while to fully resolve after consuming gas is a common event during cross-chain operations, as you probably know from bridging tokens around in other platforms. |
Thanks for the taking the time to respond. |
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L276-L304
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgentExecutor.sol#L167-L192
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/MulticallRootRouter.sol#L312
Vulnerability details
Impact
In This report I demonstrate how an attacker can steal unsuspecting users native gas deposit to themselves.
For this attack to succeed, the attacker must obstruct communication between the
Root Bridge Agent
and the targetbranch bridge agent
.To execute this attack, the attacker must craft a payload designed to trigger a call within the
Root Bridge Agent
. This call will inadvertently invoke thebranch bridge agent
, effectively blocking communication between theRoot Bridge Agent
contract and thebranch bridge agent
. This can be achieved by setting a very low gas parameter value(~1), causing an Out-of-Gas (OOG) revert at theBranchBridgeAgent::lzReceive
function. Consequently, this action impedes the passage from the root chain to the target chainBranchBridgeAgent
contract due to the payload being stored within Layer Zero end point.To execute the attack, the attacker initiates a call to
BranchBridgeAgent::callOutSignedAndBridge
.What basically happens is, the attacker will deposit some
underlying tokens
on the targetbranch bridge agent
contract, then getglobal hTokens
in the root bridge agent, which with added params(settlement call), burns the attacker's global hTokens to mintlocal hToken
s or clear deposited underlying tokens to the attacker in thebranch bridge agent/target branch chain
.The sequence of calls involved in this process is as follows:
BranchBridgeAgent::callOutSignedAndBridge --> lzEndPoint --> RootBridgeAgent::lzReceive --> RootBridgeAgent::lzReceiveNonBlocking --> RootBridgeAgentExecutor::executeSignedWithDeposit --> MulticallRootRouter::executeSignedDepositSingle --> _approveAndCallOut --> RootBridgeAgent::callOutAndBridge --> _createSettlement --> lzEndPoint
The ultimate objective is to allow unsuspecting users to attempt bridging from other
branch bridge agent
contract to the blockedbridge agent
. When this occurs, thenative gas
sent along with the call for execution(Layer zero fee) at theBranchBridgeAgent
chain, will be airdropped into thebranch bridge agent
, while their call is blocked/reverted at layer zero during relay.Most users will still invoke functions like
RootBridgeAgent::retrySettlement
andRootBridgeAgent::retrieveSettlement
, sending native gas tokens along for execution(i.e. layer zero fees).When the attacker observes that the contract has accumulated a sufficient balance, they can then retry the payload, this time sending enough gas to cover the execution cost.
Let us further observe how
BranchBridgeAgent
handlescreate settlement
request:BranchBridgeAgent::lzReceiveNonBlocking --> BranchBridgeAgentExecutor::executeWithSettlement
We can observe in the else block that all of the contract balance is sent to the recipient as gas refund upon completion, the
recipient
used here is therefundee
passed in as a parameter, we can observe this here:We can observe the revert in
BranchBridgeAgent::lzRecieve
function here, add this test toBranchBridgeAgentTest.t.sol
:Summary
Root Bridge Agent
andBranch Bridge Agent
.branch bridge agent
to the blockedbridge agent
viaroot bridge agent
.Layer Zero
airdrops Native gas tokens from the user into the blockedbranch bridge agent
.BranchBridgeAgent
contractTools Used
Layer Zero Endpoint contracts, Foundry and Research/Manual Review
Recommended Mitigation Steps
Consider adding a check in the contract that ensures users input Gas Params are within a certain threshold.
The set threshold should be enough to ensure the gas limit always gets the call to lzReceiveNonBlocking
Rigorous testing should be done before using this value, the max possible payload size should be considered.
Assessed type
Other
The text was updated successfully, but these errors were encountered: