Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VirtualAccount cannot directly send native tokens #307

Open
code423n4 opened this issue Jun 26, 2023 · 8 comments
Open

VirtualAccount cannot directly send native tokens #307

code423n4 opened this issue Jun 26, 2023 · 8 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) edited-by-warden M-32 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

code423n4 commented Jun 26, 2023
edited
Loading

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/VirtualAccount.sol#L41-L53

Vulnerability details

Impact

Certain functions require native tokens to be sent. These functions will revert.

Proof of Concept

According to the Sponsor, VirtualAccounts can "call any of the dApps present in the Root Chain (Arbitrum) e.g. Maia, Hermes, Ulysses AMM,Uniswap." However, this is not the case as call() is not payable and thus cannot send native tokens to other contracts. This is problematic because certain functions require native token transfers and will fail.

Tools Used

Manual

Recommended Mitigation Steps

Consider creating a single call() function that has a payable modifier and {value: msg.value}. Be aware that since calls[i].target.call() is in a loop, it is not advisable to add payable to the existing call(). This is because msg.value may be used multiple times, and is unsafe.

Assessed type

Payable
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 26, 2023
code423n4 added a commit that referenced this issue Jun 26, 2023
@code423n4
ltyu issue #307
f0d6c2f
@c4-judge
Copy link
Contributor

trust1995 marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Jul 10, 2023
@c4-judge
Copy link
Contributor

trust1995 marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jul 10, 2023
@c4-sponsor c4-sponsor added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Jul 12, 2023
@c4-sponsor
Copy link

0xBugsy marked the issue as sponsor acknowledged

@c4-sponsor
Copy link

0xBugsy marked the issue as disagree with severity

@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Jul 12, 2023
@trust1995
Copy link

Breaking of interoperability with dApps on the hosting chain, contrary to docs, justifies Med severity in my opinion.

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Jul 25, 2023
@c4-judge
Copy link
Contributor

trust1995 marked the issue as selected for report

@c4-sponsor c4-sponsor added sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") and removed sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons labels Jul 28, 2023
@c4-sponsor
Copy link

0xBugsy marked the issue as sponsor confirmed

@C4-Staff C4-Staff added the M-32 label Jul 31, 2023
@0xLightt
Copy link

0xLightt commented Sep 7, 2023

Addressed Maia-DAO/eco-c4-contest@03c829b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) edited-by-warden M-32 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@trust1995 @code423n4 @c4-judge @c4-sponsor @0xLightt @C4-Staff