Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Maia DAO Ulysses Protocol>Threat Model>retrySettlement
GeneralOverview
Findings
Low (2)
DiscussionInsufficient verification in CoreRootRouterEnhanced validation in two functionsInaccurate status updateTest suite
Threat ModelWhat are threat models?
BranchBridgeAgent.solcallOutSignedcallOutSignedAndBridgeredeemDepositredeemDepositretrieveDepositretrySettlement
BranchPort.solRootBridgeAgent.solRootPort.solVirtualAccount.sol
Audit ResultsSummary

Function: retrySettlement(uint32 _settlementNonce, bytes _params, GasParams[Literal(value=2, unit=None)] _gParams, bool _hasFallbackToggled)

This allows for the retry of settlement execution. The virtual account associated with the caller must be the owner of the settlement. (This check is performed in the RootBridgeAgent contract during the processing of this cross-chain request.)

Inputs

  • _settlementNonce

    • Control: Fully controlled by the caller.

    • Constraints: There are no constraints.

    • Impact: Represents the nonce of the settlement on the Root chain.

  • _params

    • Control: Fully controlled by the caller.

    • Constraints: There are no constraints.

    • Impact: N/A.

  • _gParams

    • Control: Fully controlled by the caller.

    • Constraints: There are no constraints.

    • Impact: These values are used to encode AdapterParameters data for the LayerZero relayer contract.

  • _hasFallbackToggled

    • Control: Fully controlled by the caller.

    • Constraints: There are no constraints.

    • Impact: If true, a fallback call will be executed after settlement execution in this chain.

Branches and code coverage

Intended branches

  • Check that status of settlement was changed in BranchBridgeAgent.

  • Check that status of settlement was changed in RootBridgeAgent if the fallback was executed.

Negative behavior

  • The settlement already executed.

  • The caller is not an owner of settlement.

Function call analysis

  • this._performCall(address payable(msg.sender), payload, _gParams[0], BridgeAgentConstants.BRANCH_BASE_CALL_OUT_GAS) -> ILayerZeroEndpoint(this.lzEndpointAddress).send{value: msg.value}

    • What is controllable? The _payload is fully controlled by the caller, except for the address of the caller and the execution flag.

    • If the return value is controllable, how is it used and how can it go wrong? There is no return value.

    • What happens if it reverts, reenters or does other unusual control flow? The function can revert if the provided fee is insufficient.

  • this._performCall(address payable(msg.sender), payload, _gParams[0], BridgeAgentConstants.BRANCH_BASE_CALL_OUT_GAS) -> IRootBridgeAgent(this.rootBridgeAgentAddress).lzReceive{value: msg.value}

    • What is controllable? The _payload is fully controlled by the initial caller, except for the address of the caller (since msg.sender is used, it cannot be an arbitrary address) and the execution flag.

    • If the return value is controllable, how is it used and how can it go wrong? There is no return value.

    • What happens if it reverts, reenters or does other unusual control flow? There are checks to ensure that the initial caller is the settlement owner and that the settlement has not already been redeemed (the settlement object for the provided nonce still exists). After these checks, cross-chain executeWithSettlement requests will be sent to the Branch chain.

Zellic © 2024Back to top ↑