# Boost \_ Folks Finance 34188 - \[Smart Contract - Insight] BridgeRouterHub can add address adapter Submitted on Tue Aug 06 2024 07:36:54 GMT-0400 (Atlantic Standard Time) by @Obin for [Boost | Folks Finance](https://immunefi.com/bounty/folksfinance-boost/) Report ID: #34188 Report type: Smart Contract Report severity: Insight Target: Impacts: * Bridgerouter `MANAGER_ROLE` can "irreversibly" add address(0) Adaapter ## Description ## Brief/Intro `MANAGER_ROLE` in bridgeRouterHub can add address(0) as Adapter. This is not supposed to be allowed by the contract. ## Impact Details When this happens, it is impossible to reverse its effect as the opposite function `removeAdapter()` will revert. * Permanently wasting an adapterId. * Potential adapterId synchronicities across chains be permanently disrupted. ## Mitigation ```diff + error adapterIndexMustNotBeZero(); + error adapterCantBeZeroAddress(); function addAdapter(uint16 adapterId, IBridgeAdapter adapter) external onlyRole(MANAGER_ROLE) { + if(adapterId == uint16(0)) revert adapterIndexMustNotBeZero(); //@audit The index for `adapterId` must start from 1 not 0. if(address(adapter) == address(0)) revert adapterCantBeZeroAddress(); // check if no existing adapter if (isAdapterInitialized(adapterId)) revert AdapterInitialized(adapterId); // add adapter idToAdapter[adapterId] = adapter; adapterToId[adapter] = adapterId; } ``` ## References Add any relevant links to documentation or code ## Proof of concept ## Proof of Concept ### Changes made to BridgeRouter.sol file for simplicity in illustration using foundry ```diff diff --git a/Diff.sol b/Diff.sol index a8ea541..862431b 100644 --- a/Diff.sol +++ b/Diff.sol @@ -1,33 +1,28 @@ -// SPDX-License-Identifier: BUSL-1.1 -pragma solidity 0.8.23; +// SPDX-License-Identifier: UNLICENSED +pragma solidity ^0.8.13; +import {AccessControlDefaultAdminRules} from "@openzeppelin/contracts/access/extensions/AccessControlDefaultAdminRules.sol"; -import "@openzeppelin/contracts/access/extensions/AccessControlDefaultAdminRules.sol"; -import "./BridgeMessenger.sol"; -import "./interfaces/IBridgeAdapter.sol"; -import "./interfaces/IBridgeRouter.sol"; import "./libraries/Messages.sol"; -abstract contract BridgeRouter is IBridgeRouter, AccessControlDefaultAdminRules { - bytes32 public constant override MANAGER_ROLE = keccak256("MANAGER"); - bytes32 public constant override MESSAGE_SENDER_ROLE = keccak256("MESSAGE_SENDER"); - - event MessageSucceeded(uint16 adapterId, bytes32 indexed messageId); - event MessageFailed(uint16 adapterId, bytes32 indexed messageId, bytes reason); - event MessageRetrySucceeded(uint16 adapterId, bytes32 indexed messageId); - event MessageRetryFailed(uint16 adapterId, bytes32 indexed messageId, bytes reason); - event MessageReverseSucceeded(uint16 adapterId, bytes32 indexed messageId); - event MessageReverseFailed(uint16 adapterId, bytes32 indexed messageId, bytes reason); - event Withdraw(bytes32 userId, address receiver, uint256 amount); - - error NotEnoughFunds(bytes32 user); - error FailedToWithdrawFunds(address recipient, uint256 amount); - error ChainUnavailable(uint16 folksChainId); - error SenderDoesNotMatch(address messager, address caller); - error AdapterInitialized(uint16 adapterId); - error AdapterNotInitialized(uint16 adapterId); - error AdapterUnknown(IBridgeAdapter adapter); +// an examplary interface +interface IBridgeAdapter { + function dog() external view returns(bool); + function cat() external view returns(bool); + +} + +contract Counter is AccessControlDefaultAdminRules { + bytes32 public constant MANAGER_ROLE = keccak256("MANAGER"); + bytes32 public constant MESSAGE_SENDER_ROLE = keccak256("MESSAGE_SENDER"); + + error AdapterInitialized(uint); + error AdapterNotInitialized(uint); error MessageAlreadySeen(bytes32 messageId); - error MessageUnknown(bytes32 messageId); + error AdapterUnknown(IBridgeAdapter adapter); + + event successfullyBypassedAllrevertChecksAbove(); + + uint256 public number = 13; //testing ``` ### Actual POC on above File ``` // SPDX-License-Identifier: UNLICENSED pragma solidity ^0.8.13; import {Test, console} from "forge-std/Test.sol"; import { IBridgeAdapter,Counter, Messages} from "../src/Counter.sol"; contract CounterTest is Test { Counter public counter; address admin = makeAddr("admin"); //address manager = makeAddr('manager'); function setUp() public { //vm.startPrank(admin); counter = new Counter(admin); // counter.grantRole(counter.MANAGER_ROLE(),manager); // Already set } // adapter Id cannot be removed function testImpactOfAddressZeroInputCannotBeRemoved() public { vm.startPrank(admin); // adds 5 instances of adapter (For instance) for(uint160 i =0; i < 5; i++){ //makes 5 address (address(0) as first) IBridgeAdapter adapter = IBridgeAdapter(address(i)); //address(0) will be first counter.addAdapter(uint16(i),adapter); console.log('addapterInstances',address(adapter)); } uint16 adapterId = 0; //adapterId of addressZero adapter vm.expectRevert(abi.encodeWithSelector(Counter.AdapterNotInitialized.selector, 0)); //attepmpt to reverse this error is impossible. counter.removeAdapter(adapterId); } /** =========Signatures function isAdapterInitialized(uint16 adapterId) public view returns (bool) function getAdapter(uint16 adapterId) public view returns (IBridgeAdapter) function addAdapter(uint16 adapterId, IBridgeAdapter adapter) external */ } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/folks-finance/boost-_-folks-finance-34188-smart-contract-insight-bridgerouterhub-can-add-address-adapter.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.