-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Anyone Can Block LayerZero Channel un/intentionally Due to Absents of Minimum Gas Checking #785
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-399
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Comments
c4-submissions
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Oct 6, 2023
c4-pre-sort
added
the
primary issue
Highest quality submission among a set of duplicates
label
Oct 7, 2023
0xA5DF marked the issue as primary issue |
0xA5DF marked the issue as sufficient quality report |
c4-pre-sort
added
the
sufficient quality report
This report is of sufficient quality
label
Oct 7, 2023
This was referenced Oct 7, 2023
Closed
Closed
Closed
Notice #528 claims this can be used to steal the airdropped gas from the messages sent while blocked |
c4-sponsor
added
the
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
label
Oct 16, 2023
0xLightt (sponsor) confirmed |
c4-judge
added
duplicate-399
and removed
primary issue
Highest quality submission among a set of duplicates
labels
Oct 22, 2023
alcueca marked issue #399 as primary and marked this issue as a duplicate of 399 |
c4-judge
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
and removed
3 (High Risk)
Assets can be stolen/lost/compromised directly
labels
Oct 22, 2023
c4-judge
added
the
downgraded by judge
Judge downgraded the risk level of this issue
label
Oct 22, 2023
alcueca changed the severity to 2 (Med Risk) |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Oct 22, 2023
alcueca marked the issue as satisfactory |
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-399
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgent.sol#L829
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgent.sol#L921
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L776
Vulnerability details
Description
Many function in the Maia Protocol's contracts allow users to send a cross-chain messages with specified gas parameters without any limitation. Where they eventually will be sent through these functions:
RootBridgeAgent._performCall
RootBridgeAgent._performRetrySettlementCall
BranchBridgeAgent._performCall
A potential vulnerability has been identified in multiple functions that using
_perform*
functions, due to the lack of proper gas validation and enforcement. This vulnerability allows any caller to specifyGasParams
(used to build LayerZero's RelayeradapterParams
) for the cross-chain call, including a potentially low gas value. Without proper gas validation, this could lead to scenarios where cross-chain calls fail due to insufficient gas, potentially causing denial-of-service (DoS) situations or blockage of the message pathway.External Vulnerable Functions
BranchBridgeAgent
contractcallOutAndBridge
callOutAndBridgeMultiple
callOutSigned
callOutSignedAndBridge
callOutSignedAndBridgeMultiple
retryDeposit
retrieveDeposit
retrySettlement
- 2 level cross-chain messagesBaseBranchRouter
callOut
RootBridgeAgent
contractretrySettlement
retrieveSettlement
CoreBranchRouter
addGlobalToken
- 3 level cross-chain messagesaddLocalToken
CoreRootRouter
addBranchToBridgeAgent
- 2 level cross-chain messagestoggleBranchBridgeAgentFactory
removeBranchBridgeAgent
...
Some of these functions controlled by a trusted entities but this issue could happens unintentionally, and It's important to note that multi level cross-chain calls is allowed! while this vulnerability can be occurs in very complex chain of cross-chain calls.
Impact
In scenarios where a LayerZero cross-chain call fails due to low gas, it could potentially block the message pathway, preventing the normal flow of messages channel between two chains.
Proof of Concept
Explanation:
When the gas limit specified in the
try
block (inside LayerZero Endpoint) extremely low and cannot cover the gas requirements of the internal calls withinlzReceive
, It's important to note that whileexcessivelySafeCall
can help prevent reverts due to out-of-gas conditions caused by low-level calls, it cannot overcome extremely low gas limits set at the transaction level. To ensure the successful execution of desired operations, the gas limit should be appropriately set.Additionally, If the gas limit provided in the
try
block is insufficient to even enter thelzReceive
function, the transaction will revert before the internal call insidelzReceive
reachesexcessivelySafeCall
.Therefore, if an attacker sets an extremely low gas limit in the
try
block, and that limit is inadequate to enter thelzReceive
function, the error of out-of-gas will be caught before the internal call insidelzReceive
reaches theexcessivelySafeCall
, leading to a failed transaction.Attack scenario
Attacker's Intent:
Low Gas Specification:
adapterParams
, specifying an exceptionally low gas value, for instance, 30,000 gas units.Cross-Chain Call:
Failure to Execute:
lzReceive
, lead to storing the payload inStoredPayload
.Impact:
NonBlockingLzApp
architecture.Test Case
This test will verify the vulnerability by simulating two scenarios:
Low Gas Attack: It will test the scenario where an attacker specifies an extremely low gas value, causing a cross-chain call to fail due to insufficient gas. This test aims to demonstrate how this vulnerability can lead to a denial-of-service (DoS) situation or blockage of the message pathway.
Normal Gas: It will test the scenario with an appropriate gas value to ensure that the cross-chain call executes successfully, preventing a DoS situation. This test serves as a control to show the expected behavior when using the correct gas parameters.
These test cases aim to demonstrate the impact of gas limitations on the Maia Protocol's message pathway and highlight the importance of proper gas validation and enforcement.
Tools Used
Recommended Mitigation Steps
consider Implementing gas validation and enforcement mechanisms within the function. Ensure that the gas provided by the caller is above a minimum threshold, which should cover the worst-case gas consumption scenario for the cross-chain call. it should hit
(bool success,) = address(this).excessivelySafeCall(...
when receiving cross-chain messages.According to (LayerZero Integration Checklist - LayerZero Docs):
Also this snippet can be used to implement the check from LayerZero implementation of
LzApp
It would be easier to implement the check right before the
send
call, Also it will prevent the multi level cross-chain calls and break any call that will end up inStoredPayload
.Assessed type
DoS
The text was updated successfully, but these errors were encountered: