# Boost \_ Folks Finance 33987 - \[Smart Contract - Medium] Incorrect access control in receiveMessage l Submitted on Sat Aug 03 2024 11:26:33 GMT-0400 (Atlantic Standard Time) by @QuantumKid for [Boost | Folks Finance](https://immunefi.com/bounty/folksfinance-boost/) Report ID: #33987 Report type: Smart Contract Report severity: Medium Target: Impacts: * Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield ## Description ## Brief/Intro Due to incorrect adapter access control check in sendMessage function on BridgeRouter contract an attacker can use a malicious contract as adapter to drain the entire funds in the protocol. ## Vulnerability Details In the receiveMessage to check that whether msg.sender is valid adapter or not first the adapterId is being read from the `adapterToId` mapping as below ```solidity IBridgeAdapter adapter = IBridgeAdapter(msg.sender); uint16 adapterId = adapterToId[adapter]; ``` Then using that adapterId we check whether that adapterId has a non-zero adapter address in `idToAdapter` mapping as using below function. ```solidity function isAdapterInitialized(uint16 adapterId) public view returns (bool) { IBridgeAdapter adapter = idToAdapter[adapterId]; return (address(adapter) != address(0x0)); } ``` But while adding adapter using below function if zero is used as a valid adapterId any address will be considered as a valid adapter. ```solidity function addAdapter(uint16 adapterId, IBridgeAdapter adapter) external onlyRole(MANAGER_ROLE) { // check if no existing adapter if (isAdapterInitialized(adapterId)) revert AdapterInitialized(adapterId); // add adapter idToAdapter[adapterId] = adapter; adapterToId[adapter] = adapterId; } ``` For Example: Let's say 0x1234 is a valid adapter stored at adapterId zero. Then\ `idToAdapter[0] = 0x1234`\ `adapterToId[0x1234] = 0` Now a malicious contract `0xdead` will also be considered as valid adapter because `adapterToId[0xdead] = 0` and `isAdapterInitialized(0)` will return true as a valid adapter is already initialized with zero as adapterId. ## Impact Details As any arbitrary contract is considered as a valid adapter. An attacker can use a malicious adapter contract to pass fake messages to drain the entire protocol. ## References From tests it seems like zero is a valid adapterId ```javascript async function addAdapterFixture() { const { admin, messager, unusedUsers, bridgeRouter, bridgeRouterAddress } = await loadFixture(deployBridgeRouterFixture); // deploy and add adapter const adapter = await new MockAdapter__factory(admin).deploy(bridgeRouterAddress); @> const adapterId = 0; const adapterAddress = await adapter.getAddress(); await bridgeRouter.connect(admin).addAdapter(adapterId, adapterAddress); } ``` ## Proof of concept ## Proof of Concept Add this to `add adapter` tests in `/test/bridge/BridgeRouter.test.ts` file. ```javascript it("Arbitrary contract will be considered as a valid adapter.", async () => { const { bridgeRouter, adapterId, adapterAddress } = await loadFixture(addAdapterFixture); // verify adapter was added expect(await bridgeRouter.isAdapterInitialized(adapterId)).to.be.true; expect(await bridgeRouter.idToAdapter(adapterId)).to.equal(adapterAddress); expect(await bridgeRouter.adapterToId(adapterAddress)).to.equal(adapterId); // Random address is considered as a valid adapter. expect(await bridgeRouter.isAdapterInitialized(await bridgeRouter.adapterToId(getRandomAddress()))).to.be.true; }); ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33987-smart-contract-medium-incorrect-access-control-in-receivemessage-leads-t.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.