This repository has been archived by the owner on Sep 17, 2023. It is now read-only.
Jeiwan - Cross-chain message authentication can be bypassed, allowing an attacker to disrupt the state of vaults #309
Labels
Escalation Resolved
This issue's escalations have been approved/rejected
High
Reward
A payout will be made for this issue
Sponsor Confirmed
Will Fix
Jeiwan
high
Cross-chain message authentication can be bypassed, allowing an attacker to disrupt the state of vaults
Summary
A malicious actor may send a cross-chain message to an
XProvider
contract and bypass theonlySource
authentication check. As a result, they'll be able to call any function in theXProvider
contract that has theonlySource
modifier and disrupt the state ofXChainController
and all vaults.Vulnerability Detail
The protocol integrates with Connext to handle cross-chain interactions. XProvider is a contract that manages interactions between vaults deployed on all supported networks and
XChainController
.XProvider
is deployed on each of the network where a vault is deployed and is used to send and receive cross-chain messages via Connext.XProvider
is a core contract that handles vault rebalancing, transferring of allocations from Game toXChainController
and to vaults, transferring of tokens deposited to vaults between vault on different networks. Thus, it's critical that the functions of this contract are only called by authorized actors.To ensure that cross-chain messages are sent from authorized actors, there's onlySource modifier that's applied to the xReceive function. The modifier checks that the sender of a message is trusted:
However, it doesn't check that
trustedRemoteConnext[_origin]
is set (i.e. it's not the zero address), and_originSender
can in fact be the zero address.In Connext, a message can be delivered via one of the two paths: the fast path or the slow path. The fast path is taken when, on the destination, message receiving is not authentication, i.e. when destination allows receiving of messages from all senders. The slow path is taken when message receiving on the destination is authenticated, i.e. destination allows any sender (it doesn't check a sender).
Since,
XProvider
always checks the sender of a message, only the slow path will be used by Connext to deliver messages to it. However, Connext always tries the slow path:I.e. it'll always send a message and see if it reverts on the destination or not: if it does, Connext will switch to the slow path.
When Connext executes a message on the destination chain in the fast path, it sets the sender address to the zero address:
Thus, Connext will try to call the
XProvider.xReceive
function with the_originSender
argument set to the zero address. And there are situations when theonlySource
modifier will pass such calls: when the origin network (as specified by the_origin
argument) is not in thetrustedRemoteConnext
mapping.According to the description of the project, it'll be deployed on the following networks:
And this is the list of networks supported by Connext:
Thus, a malicious actor can send a message from Gnosis Chain (it's not supported by Derby), and the
onlySource
modifier will pass the message. The same is true for any new network supported by Connext in the future and not supported by Derby.Impact
A malicious actor can call
XProvider.xReceive
and any functions ofXProvider
with theonlySelf
modifier:XProvider
, but only the ones with theonlySelf
modifier are authorized;XChainController
(i.e. allocate all tokens only to the protocol the attacker will benefit the most from);XChainController
and block rebalancing of vaults (due to an underflow or another arithmetical error);XChainController
into skipping receiving of funds from a vault;Code Snippet
onlySource
modifier validates the message sender:https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XProvider.sol#L85-L88
xReceive
is protected by theonlySource
modifier:https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XProvider.sol#L170-L180
https://github.com/connext/monorepo/blob/87b75b346664271522e2f2acfd10bebcfeb93993/packages/deployments/contracts/contracts/core/connext/facets/BridgeFacet.sol#L878
Tool used
Manual Review
Recommendation
In the
onlySource
modifier, consider checking thattrustedRemoteConnext[_origin]
doesn't return the zero address:The text was updated successfully, but these errors were encountered: