Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Maia DAO Ulysses Protocol>Discussion>Insufficient verification in CoreRootRouter
GeneralOverview
Findings
Low (2)
DiscussionInsufficient verification in CoreRootRouterEnhanced validation in two functionsInaccurate status updateTest suite
Threat ModelWhat are threat models?BranchBridgeAgent.solBranchPort.solRootBridgeAgent.solRootPort.solVirtualAccount.sol
Audit ResultsSummary

Insufficient verification in multiple CoreRootRouter contract functions

The toggleStrategyToken, updateStrategyToken, togglePortStrategy, and updatePortStrategy functions in the CoreRootRouter contract initiate cross-chain requests to the branchChain for updating the state of the BranchPort contract. In essence, invoking any of these functions in the CoreRootRouter contract on the rootChain triggers functions with identical names in the BranchPort of the branchChain as a result of cross-chain--message transferring.

However, an issue can arise because these corresponding functions in BranchPort include additional verification checks that are absent in the CoreRootRouter contract. Although the problem is not critical because these functions can only be invoked by the contract's owner, successfully sent cross-chain messages may be reverted, leading to unnecessary gas consumption and commission fees. To address this, we recommend implementing equivalent verification checks as found in the _setPortStrategySettings and _setStrategyTokenMinimumReservesRatio functions of the BranchPort contract.

Zellic © 2024Back to top ↑