Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

_bridgeOut in BranchPort.sol calculates the _amount and _deposit incorrectly #873

Open
c4-submissions opened this issue Oct 6, 2023 · 4 comments
Open

_bridgeOut in BranchPort.sol calculates the _amount and _deposit incorrectly #873

c4-submissions opened this issue Oct 6, 2023 · 4 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b low quality report This report is of especially low quality Q-03 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchPort.sol#L524-L532

Vulnerability details

Impact

Users may transfer more money than intended, resulting in a net loss for the user.

Proof of Concept

In _bridgeOut, either the hToken or the underlying token is being sent to the BranchPort address. For the hToken, the tokens will be burned and for the underlying, the token will be stored in the BranchPort contract.

        // Check if hTokens are being bridged out
        if (_hTokenAmount > 0) {
            _localAddress.safeTransferFrom(_depositor, address(this), _hTokenAmount);
            ERC20hTokenBranch(_localAddress).burn(_hTokenAmount);
        }


        // Check if underlying tokens are being bridged out
        if (_deposit > 0) {
            _underlyingAddress.safeTransferFrom(_depositor, address(this), _deposit);

According to the discussions on Discord, protocol admin mentions that if the user has 5 hToken and 5 underlying token, the amount called should be 10 and _deposit should be 5. This means that 5 hToken will be burnt from the user and 10 underlying token will be transferred from the user to the Port, instead of 5 underlying token.

If a user wants to transfer 10 tokens in total, he has to transfer 15 instead (5 hToken burnt and 10 underlying transferred)

Tools Used

VSCode

Recommended Mitigation Steps

Make sure that the calculation is correct so that if the user wants to transfer 10 tokens (5 htoken and 5 underlying), he will only need 5 hToken and 5 underlying, instead of 5hToken and 10 underlying. This issue might be due to this line

        uint256 _hTokenAmount = _amount - _deposit;

which is pretty confusing. Amount should not be the total amount of tokens to bridge out but rather just the underlying amount of tokens to bridge out.

Assessed type

Other
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 6, 2023
c4-submissions added a commit that referenced this issue Oct 6, 2023
@c4-submissions
jaraxxus issue #873
a487103
@c4-pre-sort c4-pre-sort added the low quality report This report is of especially low quality label Oct 12, 2023
@c4-pre-sort
Copy link

0xA5DF marked the issue as low quality report

@0xA5DF
Copy link

0xA5DF commented Oct 12, 2023

This means that 5 hToken will be burnt from the user and 10 underlying token will be transferred from the user to the Port, instead of 5 underlying token.

No, user would be paying with 5 hTokens and 5 underlying tokens. So user gets what he paid for.
Any suggestion regarding the way parameters are named isn't more than a QA

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 22, 2023
@c4-judge
Copy link
Contributor

alcueca changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

alcueca marked the issue as grade-b

@C4-Staff C4-Staff added the Q-03 label Nov 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b low quality report This report is of especially low quality Q-03 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@0xA5DF @c4-judge @c4-pre-sort @C4-Staff @c4-submissions