Lines of code
<https://github.com/code-423n4/2023-09-maia/blob/main/src/RootBridgeAgent.sol#L248>
Vulnerability details
Impact
due to the lack of access control in payableCall function in VirtualAccount contract, anyone can call payableCall on a user virtual account . An attacker can use this vulnerability to steal the users funds after a failed settlement by the user .
Proof of Concept
- User settlement transaction fails on destination chain for any reason .
- Attacker front-runs user retrySettlement transaction by calling payableCall on the user virtual Account with target as RootBridgeAgentAddress and callData as retrySettlement selector and same settlement nonce as the user’s one and the recipient as his address on branch chain to bypass the caller check in retrySettlement .
- the transaction succeed in the branch chain and the attacker receives the funds on the address he put on retrySettlement call .
Tools Used
Manual review
Recommended Mitigation Steps
Protect payableCall with requiresApprovedCaller modifier
Assessed type
Access Control
The text was updated successfully, but these errors were encountered:
All reactions