-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changing atomWarden
will result in losing atomWalletInitialDepositAmount
for Created and not Deployed Atoms
#50
Comments
Mitigation may be a little complex, I will provide more info about Mitigation in the Judging Process. |
The reported issue concerning the potential loss of Enhancement Suggestion: The suggestion to keep track of the mapping of vault IDs to atom wallet addresses is a valid enhancement to ensure that the initial deposit amount is not lost if the Current Design: The current design ensures that if the Considerations: While adding a mapping to track vault IDs to atom wallet addresses could enhance clarity, it also introduces additional gas costs. The same information can be retrieved from emitted events off-chain, which might be a more efficient approach. Severity Assessment: Since this issue does not introduce any vulnerabilities or risks to users and the current design handles ownership updates adequately, it is classified as an enhancement. Conclusion: While the enhancement to track vault IDs to atom wallet addresses on-chain could improve the system, it is not necessary from a security standpoint. The current design ensures that the first deployed Status: This issue is a potential enhancement. Suggested Fix: A potential fix, if on-chain tracking ends up being preferred, can be adding a mapping to track vault IDs to atom wallet addresses, but note that this increases the deployment gas costs considerably: mapping(uint256 => address) public vaultToAtomWallet;
function deployAtomWallet(uint256 atomId) external whenNotPaused returns (address) {
if (atomId == 0 || atomId > count || isTripleId(atomId)) {
revert Errors.MultiVault_VaultDoesNotExist();
}
// compute salt for create2
bytes32 salt = bytes32(atomId);
// get contract deployment data
bytes memory data = _getDeploymentData();
address atomWallet;
// deploy atom wallet with create2:
// value sent in wei,
// memory offset of `code` (after first 32 bytes where the length is),
// length of `code` (first 32 bytes of code),
// salt for create2
assembly {
atomWallet := create2(0, add(data, 0x20), mload(data), salt)
}
if (atomWallet == address(0)) {
revert Errors.MultiVault_DeployAccountFailed();
}
// Update mapping
vaultToAtomWallet[atomId] = atomWallet;
return atomWallet;
} If off-chain verification is sufficient, no changes are needed. Comment for the Reporter: Extra Considerations:
|
Hi @mihailo-maksa, I think there is a misunderstanding between this issue and issue #51 I will explain the flow of the problem for both issues.
This is the issue described in the sponser reply, if atomWaden was This is what issue
As it is seen when creating AA wallet and do not deploy it, which is known as address atomWallet = computeAtomWalletAddr(id);
// deposit atomWalletInitialDepositAmount amount of assets and mint the shares for the atom wallet
_depositOnVaultCreation(
id,
@> atomWallet, // receiver
atomConfig.atomWalletInitialDepositAmount
); The problem lies is that if this wallets gets deployed it will not get deployed with address bytes memory data = _getDeploymentData();
address atomWallet;
assembly {
atomWallet := create2(0, add(data, 0x20), mload(data), salt)
} As we can see the atomWallet address depends on The issue explains the loss of So in brief, when creating the wallet, shares are minted to the AA atomWallet that is supposed to be created with atomWarden. but changing atomWarden will result in deploying that wallet (with the specific ID), in a different address, which will cause the loss of funds (atomWalletInitialDepositAmount) for all counterfactional (created and not deployed) wallets. Please let me know if things are clear, or there is something I should explain more clearly in the issue @mihailo-maksa |
/// @notice Returns the owner of the wallet. If the wallet has been claimed, the owner
/// is the user. Otherwise, the owner is the atomWarden.
/// @return the owner of the wallet
/// NOTE: Overrides the owner function of OwnableUpgradeable
function owner() public view override returns (address) {
OwnableStorage storage $ = _getAtomWalletOwnableStorage();
return isClaimed ? $._owner : ethMultiVault.getAtomWarden();
} This approach ensures that the atom wallet will always deploy correctly, even if the |
Add the following solidity test in function test_auditor_poc_issue_50() external {
// Creating Atom Before Changing AtomWarden
console2.log("CreateAtomWallet ...");
console2.log("-------------------------");
vm.startPrank(alice, alice);
uint256 testAtomCost = getAtomCost();
uint256 id1 = ethMultiVault.createAtom{value: testAtomCost}("atom1");
address atomWalletCreatedAddress = ethMultiVault.computeAtomWalletAddr(id1);
console2.log("AtomWalletCreatedAddress:", atomWalletCreatedAddress);
(,uint256 atomWalletAssets) = getVaultStateForUser(id1, atomWalletCreatedAddress);
console2.log("Balance Of AtomWalletCreatedAddress (", atomWalletCreatedAddress, "):", atomWalletAssets);
vm.stopPrank();
console2.log("-------------------------");
// Changing AtomWarden Address
address testValue = bob;
vm.prank(msg.sender);
ethMultiVault.setAtomWarden(testValue);
console2.log("Changing atomWarden ...");
console2.log("-------------------------");
// Deploy AtomWallet after we changing AtomWarden
console2.log("Deploy AtomWallet ...");
address atomWalletDeployedAddress = ethMultiVault.deployAtomWallet(id1);
console2.log("-------------------------");
// Deployed Address != Created Address
console2.log("AtomWalletDeployedAddress_id1:", atomWalletDeployedAddress);
console2.log("AtomWalletCreatedAddress_id1:", atomWalletCreatedAddress);
console2.log("-------------------------");
(,uint256 atomWalletDeployedAssets) = getVaultStateForUser(id1, atomWalletDeployedAddress);
(,uint256 atomWalletCreatedAssets) = getVaultStateForUser(id1, atomWalletCreatedAddress);
// The DeployedWalletAddress has 0 assets, as `atomWalletInitialDepositAmount` goes to the created address
console2.log("atomWalletDeployedAssets (",atomWalletDeployedAddress, "): ", atomWalletDeployedAssets);
console2.log("atomWalledCreatedAssets (",atomWalletCreatedAddress, "): ", atomWalletCreatedAssets);
uint256 codeSizeOfDeployedAddress;
uint256 codeSizeOfCreatedAddress;
assembly {
codeSizeOfDeployedAddress := extcodesize(atomWalletDeployedAddress)
codeSizeOfCreatedAddress := extcodesize(atomWalletCreatedAddress)
}
console2.log("-------------------------");
// The assets are totally Lost as the createedAddress is empty, did not deployed and we do not have
// any access to this address, which will make `atomWalletInitialDepositAmount` lost
console2.log("Code size of DeployedAddress:", codeSizeOfDeployedAddress);
console2.log("Code size of CreatedAddress:", codeSizeOfCreatedAddress);
} To run the script run: forge test --mt test_auditor_poc_issue_50 --evm-version cancun -vv Output: CreateAtomWallet ...
-------------------------
AtomWalletCreatedAddress: 0x3ac543BbD048a7D0B3E29a99F40763e0b3655fA4
Balance Of AtomWalletCreatedAddress ( 0x3ac543BbD048a7D0B3E29a99F40763e0b3655fA4 ): 100000000000000
-------------------------
Changing atomWarden ...
-------------------------
Deploy AtomWallet ...
-------------------------
AtomWalletDeployedAddress_id1: 0xBb8EefD3c04A36a60ef5Acf9449916ff3d7bA0b2
AtomWalletCreatedAddress_id1: 0x3ac543BbD048a7D0B3E29a99F40763e0b3655fA4
-------------------------
atomWalletDeployedAssets ( 0xBb8EefD3c04A36a60ef5Acf9449916ff3d7bA0b2 ): 0
atomWalledCreatedAssets ( 0x3ac543BbD048a7D0B3E29a99F40763e0b3655fA4 ): 100000000000000
-------------------------
Code size of DeployedAddress: 283
Code size of CreatedAddress: 0 As illustrated in the POC, The problem is not about a single address, this affects all AtomWallets that have been deployed after According to As it is written I proved that the user who will deploy his wallet will get his funds lost, as ( Besides this, the issue will affect all users who will deploy their wallets in the future, so if there are So in brief, I illustrated how users will lose their funds, which makes the issue satisfy for |
We still consider this issue as invalid. Since // Encode the init function of the AtomWallet contract with constructor arguments
bytes memory initData = abi.encodeWithSelector(
AtomWallet.init.selector,
IEntryPoint(walletConfig.entryPoint),
oldAtomWarden,
address(this)
); This means that ETH won't be lost as long as the sufficient number of owners controlling the old |
After careful additional consideration, we still do not believe this is a case of "freezing of user funds" for the following reasons: The original issue title was: "Changing atomWarden will result in losing atomWalletInitialDepositAmount for Created and not Deployed Atoms." So, if atom vaults are created and Inside the /// @notice Returns the owner of the wallet. If the wallet has been claimed, the owner
/// is the user. Otherwise, the owner is the atomWarden.
/// @return the owner of the wallet
/// NOTE: Overrides the owner function of OwnableUpgradeable
function owner() public view override returns (address) {
OwnableStorage storage $ = _getAtomWalletOwnableStorage();
return isClaimed ? $._owner : ethMultiVault.getAtomWarden();
} This is really important since the This means that if the wallet is not yet deployed, there is no way to transfer the ownership over it to a user. If we were to deploy an atom wallet for each of these, the owner of all of them would originally be the current I hope this explanation clarifies our position. |
Github username: @Al-Qa-qa
Twitter username: al_qa_qa
Submission hash (on-chain): 0xc518fa0e591487973f4d31750e421dc652b1ae07f42aee2489353a9ea1ea9f70
Severity: medium
Description:
Description
When creating new Atom wallets, there are two processes. First, is the creation of the atom vault. Second, is deploying the wallet.
When creating atom,
atomWalletInitialDepositAmount
goes to the atom wallet address that will be deployed using the current ID.EthMultiVault.sol#L481-L488
When creating
atomWallet
address that will receive the initialDeposit, it is calculating using the current args, andatomWarden
is one of the args.EthMultiVault.sol#L1421-L1423
But in case of deploying, we recompute this address again.
EthMultiVault.sol#L366
So all AtomVaults that did not deployed there Wallets, will not be able to claim their initialAmount, if the
atomWarden
changed.Senario\
atomWarden
usingsetAtomWarden
InitialDepositAmount
Recommendations\
In case of changing AtomWarden, you need to check that all created atoms gets deployed. this can either be done on-chain, or off-chain.
The text was updated successfully, but these errors were encountered: