-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attacker can block LayerZero channel #83
Comments
Duplicate of #87 |
@pooltypes Can anyone send a message or would they need to be whitelisted? |
If anyone can call and deny, the contract is not suited to handle exceptions and doesn't implement the The contract needs to implement I still am unsure if anyone can send a malicious message or if they need to be approved |
If only the admin can this is a Medium Severity, if anyone can, this is a High Severity finding |
From the documentation it seems like anyone can call the function: |
With the information that I have it seems like anyone can grief the endpoint making claims revert indefinitely, have reached out to the sponsor as well as LayerZero but have yet to receive any reply |
With the information I currently have, it seems like the channel can be setup to receive messages only by the specified contract, however for multiple reasons, the message sent can cause a revert, and in lack of a "nonblocking" architecture, the messages can get stuck indefinitely. However, the implementation under scope has none of these defenses, it seems like the contact under scope can be denied functionality by any caller that builds their own LZApp See example of how to prevent untrusted callers: Because of that, the message queue can be filled with blocking messages that cannot be removed. Because the contract under scope also has no way of re-setting the queue, I have reason to believe that any attack can permanently brick the receiver. For these reasons, I believe High Severity to be more appropriate |
At this point in time we've already completed all of the redemptions Is it possible to send a message from the contract other than what sender sends? lz's msg queues are per src addr. https://layerzero.gitbook.io/docs/faq/messaging-properties |
My understanding is any sender can block the queue as the receiver will revert That said if redemption is over, there's no loss beside the risk of burning funds from the FTM side |
Lines of code
https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/redeem/RedemptionReceiver.sol#L72-L105
Vulnerability details
Impact
According to the LayerZero docs, the default behavior is that when a transaction on the destination application fails, the channel between the src and dst app is blocked. Before any new transactions can be executed, the failed transaction has to be retried until it succeeds.
See https://layerzero.gitbook.io/docs/faq/messaging-properties#message-ordering & https://layerzero.gitbook.io/docs/guides/advanced/nonblockinglzapp
So an attacker is able to initiate a transaction they know will fail to block the channel between FTM and Optimism. The RedemptionSender & Receiver won't be usable anymore.
Proof of Concept
The RedemptionReceiver contract doesn't implement the non-blocking approach as seen here: https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/redeem/RedemptionReceiver.sol#L72-L105
An example implementation of the non-blocking approach by LayerZero: https://github.com/LayerZero-Labs/solidity-examples/blob/main/contracts/lzApp/NonblockingLzApp.sol
Tools Used
none
Recommended Mitigation Steps
Use the non-blocking approach as described here
The text was updated successfully, but these errors were encountered: