Lines of code
<https://github.com/code-423n4/2023-09-maia/blob/main/src/RootBridgeAgent.sol#L248&gt;

Vulnerability details

Impact

due to the lack of access control in payableCall function in VirtualAccount contract, anyone can call payableCall on a user virtual account . An attacker can use this vulnerability to steal the users funds after a failed settlement by the user .

Proof of Concept

• User settlement transaction fails on destination chain for any reason .
• Attacker front-runs user retrySettlement transaction by calling payableCall on the user virtual Account with target as RootBridgeAgentAddress and callData as retrySettlement selector and same settlement nonce as the user’s one and the recipient as his address on branch chain to bypass the caller check in retrySettlement .
• the transaction succeed in the branch chain and the attacker receives the funds on the address he put on retrySettlement call .

Tools Used

Manual review

Recommended Mitigation Steps

Protect payableCall with requiresApprovedCaller modifier

Assessed type

Access Control

The text was updated successfully, but these errors were encountered:

All reactions