Active Boosts

Boost _ Folks Finance 34076 - [Smart Contract - Low] Wrong way of deriving message keys using destin

Submitted on Mon Aug 05 2024 08:50:39 GMT-0400 (Atlantic Standard Time) by @IronsideSec for Boost | Folks Finance

Report ID: #34076

Report type: Smart Contract

Report severity: Low

Target: https://sepolia.etherscan.io/address/0x7cdB014Bc73C74Da5b3830eDE6a4494ec52C3738

Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

Look at the following examples from official wormhole sdk and curvance (crooschain protocol), they use source chain's cctp domain id to derive the message keys, but folks are using the destination chain's cctp domain id.

https://github.com/wormhole-foundation/wormhole-solidity-sdk/blob/b9e129e65d34827d92fceeed8c87d3ecdfc801d0/src/CCTPBase.sol#L125

            MessageKey(
 CCTPMessageLib.CCTP_KEY_TYPE,
 >>>           abi.encodePacked(getCCTPDomain(wormhole.chainId()), nonce)
 );

https://github.com/curvance/Curvance-CantinaCompetition/blob/76669e36572d9c6803a0e706214a9149d5247586/contracts/architecture/FeeTokenBridgingHub.sol#L151

Vulnerability Details

WormholeCCTPAdapter::sendMessage uses destination chain id's cctp domain id to create the message keys, its actually should use the source chain id's cctp domain. Look at line 270 below using destinationDomain to create a message key, the destinationDomain is derived from getChainAdapter(message, destinationChainId) where destinationChainId is used, but it should have used block.chain id i.e src chain to get the cctp doamin id.

https://github.com/Folks-Finance/folks-finance-xchain-contracts/blob/fb92deccd27359ea4f0cf0bc41394c86448c7abb/contracts/bridge/WormholeCCTPAdapter.sol#L121

https://github.com/Folks-Finance/folks-finance-xchain-contracts/blob/fb92deccd27359ea4f0cf0bc41394c86448c7abb/contracts/bridge/WormholeCCTPAdapter.sol#L264

Impact Details

Wrong way of deriving message keys might revert on some messages. Not a loss of funds, but fits the Low severity.

References

https://github.com/Folks-Finance/folks-finance-xchain-contracts/blob/fb92deccd27359ea4f0cf0bc41394c86448c7abb/contracts/bridge/WormholeCCTPAdapter.sol#L264

https://github.com/Folks-Finance/folks-finance-xchain-contracts/blob/fb92deccd27359ea4f0cf0bc41394c86448c7abb/contracts/bridge/WormholeCCTPAdapter.sol#L121

Proof of concept

Proof of Concept

POC is just to show the flow of call, the revert happening is not due to the wrong cctp domain. Also, the wrong cctip domain doesn't cause loss of funds, its just wrong implemtation in the contract

for POC to work,

  1. on https://github.com/Folks-Finance/folks-finance-xchain-contracts directory, do forge i foundry-rs/forge-std --no-commit,

  2. then add ds-test/=node_modules/ds-test/ to remappings.txt,

  3. then create a file Foundry.t.sol on test/ dirctory.

  4. Then run the poc with forge t --mt testIssue -f https://ethereum-sepolia.rpc.subquery.network/public --fork-block-number 6438899 -vvvv

PreviousBoost _ Folks Finance 34074 - [Smart Contract - Critical] Hub missing check for available liquidityNextBoost _ Folks Finance 34085 - [Smart Contract - Low] partial repayment with collaterals will revert

Last updated

Was this helpful?