Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GAP variable inconsistency in Bridge.sol #15

Open
c4-bot-9 opened this issue Mar 11, 2024 · 6 comments
Open

GAP variable inconsistency in Bridge.sol #15

c4-bot-9 opened this issue Mar 11, 2024 · 6 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-b Q-32 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_15_group AI based duplicate group recommendation sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality

Comments

@c4-bot-9
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-03-taiko/blob/a30b5b6afd121e4de8ceff7165a2091e62194992/packages/protocol/contracts/bridge/IBridge.sol#L60-L64
https://github.com/code-423n4/2024-03-taiko/blob/a30b5b6afd121e4de8ceff7165a2091e62194992/packages/protocol/contracts/bridge/Bridge.sol#L29-L48

Vulnerability details

Impact

Possible storage collision
Impact - High
Chances - Low to medium
Severity - medium

Proof of Concept

__gap variable is used in upgradeble contracts to ensure that any new variable if added in parent or child contract does not collide with any other previously used storage slot. Hence its size must clearly defined, which Taiko contracts do except in Bridge.sol , in the mentioned file they have assumed that Context struct uses 3 slots but it only uses 2 slots.

    struct Context {
        bytes32 msgHash; // Message hash.
        address from; // 20 bytes
        uint64 srcChainId; ///@audit 8 bytes , 20 + 8 bytes will be packed in 1 slot
    }

This wrong assumption has lead to incorrect allotment size to __gap array, which should be 44 instead of 43.

It can also be verified by running

forge inspect contracts/bridge/Bridge.sol:Bridge storage --pretty

Tools Used

Manual Review

Recommended Mitigation Steps

    /// @notice The next message ID.
    /// @dev Slot 1.
    uint128 public nextMessageId;

    /// @notice Mapping to store the status of a message from its hash.
    /// @dev Slot 2.
    mapping(bytes32 msgHash => Status status) public messageStatus;

--    /// @dev Slots 3, 4, and 5.
++    /// @audit Slots 3,4
    Context private __ctx;

    /// @notice Mapping to store banned addresses.
--    /// @dev Slot 6.
++    /// @audit slot 5
    mapping(address addr => bool banned) public addressBanned;

    /// @notice Mapping to store the proof receipt of a message from its hash.
--    /// @dev Slot 7.
++    /// @audit slot 6
    mapping(bytes32 msgHash => ProofReceipt receipt) public proofReceipt;

--    uint256[43] private __gap;
++    uint256[44] private __gap;

Some real world hacks and previous findings explaining why consistent gap size is important-
audius hack , finding 1 , finding 2

Assessed type

Upgradable
@c4-bot-9 c4-bot-9 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 11, 2024
c4-bot-9 added a commit that referenced this issue Mar 11, 2024
@c4-bot-9
Kalyan-Singh issue #15
e0e3f36
@c4-bot-11 c4-bot-11 added the 🤖_15_group AI based duplicate group recommendation label Mar 27, 2024
@c4-pre-sort
Copy link

minhquanym marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Mar 28, 2024
This was referenced Mar 30, 2024
Open
Open
Closed
@dantaik
Copy link

dantaik commented Apr 2, 2024

Fixed in https://github.com/taikoxyz/taiko-mono/pull/16594/files

@c4-sponsor
Copy link

dantaik marked the issue as disagree with severity

@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Apr 2, 2024
@c4-sponsor
Copy link

dantaik (sponsor) confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Apr 2, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Apr 9, 2024

0xean changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax grade-b and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Apr 9, 2024
@c4-judge
Copy link
Contributor

0xean marked the issue as grade-b

@C4-Staff C4-Staff added the Q-32 label Apr 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-b Q-32 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_15_group AI based duplicate group recommendation sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@dantaik @c4-judge @c4-sponsor @c4-pre-sort @C4-Staff @c4-bot-9 @c4-bot-11