Assessment reportsPublic findings
Back to Zellic site
Assessment reports>warpdotgreen-cli>Discussion>Anyone can emit the SendMessage event directly without transferring tokens
GeneralOverview
DiscussionAnyone can emit the SendMessage event directly without transferring tokensReentrancy in sendMessage by a minerMismatched transferTip condition between token minting and burning
Threat ModelWhat are threat models?ERC20Bridge.solMilliETH.solPortal.solWrappedCAT.sol
Audit ResultsAssessment Results

Anyone can emit the SendMessage event directly without transferring tokens

It is possible for anyone to directly call the SendMessage function of the portal, allowing arbitrary MessageSent events to be emitted without actually transferring tokens. In eth_follower, the getEventByIntNonce function does not check the msg.sender of the event, which means that a MessageSent event created by an arbitrary user can be signed through the messageSigner. In this case, the msg.sender will be the user's address.

The warp.green team has acknowledged this. This is intended behavior because the portal is for sending and receiving messages, so it should be callable by any caller. Another bridge contract could use this portal to send/receive messages for cross-chain communication. For this design, destination bridge contracts have the responsibility of checking messages sent from the source bridge.

For this reason, they check the message sources on the Chia side of the bridge app.

Zellic © 2024Back to top ↑