Light ModeLight
Light ModeDark

One Bug Per Day

One H/M every day from top Wardens

Checkmark

Join over 445 wardens!

Checkmark

Receive the email at any hour!

Ad

onlyCentrifugeChainOrigin() can't require msg.sender equal axelarGateway

mediumCode4rena

Lines of code

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/gateway/routers/axelar/Router.sol#L44

Vulnerability details

Vulnerability details

In AxelarRouter.sol, we need to ensure the legitimacy of the execute() method execution, mainly through two methods

  1. axelarGateway.validateContractCall () to validate if the command is approved or not
  2. onlyCentrifugeChainOrigin() is used to validate that sourceChain sourceAddress is legal.

Let's look at the implementation of onlyCentrifugeChainOrigin()

solidity
    modifier onlyCentrifugeChainOrigin(string calldata sourceChain, string calldata sourceAddress) {        
@>      require(msg.sender == address(axelarGateway), "AxelarRouter/invalid-origin");
        require(
            keccak256(bytes(axelarCentrifugeChainId)) == keccak256(bytes(sourceChain)),
            "AxelarRouter/invalid-source-chain"
        );
        require(
            keccak256(bytes(axelarCentrifugeChainAddress)) == keccak256(bytes(sourceAddress)),
            "AxelarRouter/invalid-source-address"
        );
        _;
    }

The problem is that this restriction msg.sender == address(axelarGateway)

When we look at the official axelarGateway.sol contract, it doesn't provide any call external contract 'sexecute() method

so msg.sender cannot be axelarGateway, and the official example does not restrict msg.sender

the security of the command can be guaranteed by axelarGateway.validateContractCall(), sourceChain, sourceAddress.

there is no need to restrict msg.sender

axelarGateway code address https://github.com/axelarnetwork/axelar-cgp-solidity/blob/main/contracts/AxelarGateway.sol

can't find anything that calls router.execute()

Impact

router.execute() cannot be executed properly, resulting in commands from other chains not being executed, protocol not working properly

Recommended Mitigation

remove msg.sender restriction

diff
    modifier onlyCentrifugeChainOrigin(string calldata sourceChain, string calldata sourceAddress) {        
-       require(msg.sender == address(axelarGateway), "AxelarRouter/invalid-origin");
        require(
            keccak256(bytes(axelarCentrifugeChainId)) == keccak256(bytes(sourceChain)),
            "AxelarRouter/invalid-source-chain"
        );
        require(
            keccak256(bytes(axelarCentrifugeChainAddress)) == keccak256(bytes(sourceAddress)),
            "AxelarRouter/invalid-source-address"
        );
        _;
    }

Assessed type

Context

OneBugPerDay.com
To all the whitehats, we salute you

Legal

Advertise with usPrivacy PolicyTerms of ServiceCookie PolicyAcceptable Use

Unsubscribe

Unsubscribe from all emailsConfirm unsubscribe via code

Subscribe

Subscribe via formConfirm subscription via codeChange your Preferences
Made by Alex The EntreprenerdVulnerabilities database by TinTinWeb