Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

calling finishSetup() before completing setup can render the vault as useless. #83

Open
hats-bug-reporter bot opened this issue Feb 5, 2024 · 6 comments
Open

calling finishSetup() before completing setup can render the vault as useless. #83

hats-bug-reporter bot opened this issue Feb 5, 2024 · 6 comments
Labels
wontfix This will not be worked on

Comments

@hats-bug-reporter
Copy link

Github username: @https://github.com/betharavikiran
Twitter username: @ravikiranweb3
Submission hash (on-chain): 0xb15909f47f8166e8c7bebc8d24d6ac012d4a993e55d3ee89ddd1ea6d01e93b4e
Severity: low

Description:
Description
SetupMaster is a temporary entitlement provided to an account to configure the vault. The role of setupMaster
is to configure the connections for the vault. Calling finishSetup() will revoke the temporary entitlement and
the vault becomes unstoppable.

The vulnerability is the call to finishSetup() before calling setConnection() will revoke the entitlements
and the vault will not be functional if connections were not set.

The finishSetup can be called by setupMaster once and lose the entitlements permanently.

function finishSetup() external override {
        require(msg.sender == _setupMaster); // dev: No auth

        _setupMaster = address(0);

        emit FinishSetup();
    }

The setConnection can be called only by setupMaster, if there connections are not set, key functionality will
not work.

function setConnection(
        bytes32 channelId,
        bytes calldata toVault,
        bool state
    ) external override {
        require(msg.sender == _setupMaster); // dev: No auth
        require(toVault.length == 65);  // dev: Vault addresses are uint8 + 64 bytes.

        _vaultConnection[channelId][toVault] = state;

        emit SetConnection(channelId, toVault, state);
    }

All the below listed function on both Vault templates will not work rendering the vault as useless.

The problem exists for both types of vaults.

  • sendAsset
  • sendAssetFixedUnit
  • receiveAsset
  • sendLiquidity
  • receiveLiquidity
  • releaseUnderwriteAsset

Attack Scenario\

  • Deploy a new vault using the factory's deploy function.
  • Call finishSetup() function on the vault.

The vault will not work as expected.

Attachments

  1. Proof of Concept (PoC) File
  1. Revised Code File (Optional)

In the setup() function of the vault , nominate the chains that will be configured for the vault.

Before revoking the entitlements, the nominimated
chain connections should be configured.

When calling finishSetup(), the logic checks to ensure that configured chain related connections are configured. If not, the finishSetup will revert allowing the temporary admin to configure the vault properly.
@hats-bug-reporter hats-bug-reporter bot added the bug Something isn't working label Feb 5, 2024
@reednaa
Copy link
Collaborator

reednaa commented Feb 6, 2024

Given the function name finishSetup I personally believe it is pretty clear that you should only call it after you have set the connections.
The vault are very close to their maximum size and as such we can't add a lot logic to these checks. Furthermore, the setup functions are stack limited and we would have to convert the setup into a struct which would further increase gas cost, likewise, storing the connections to be setup would also increase gas cost significantly. (potential many zero to non-zero just to set to zero again).

What if the user misinput a connection in the beginning, would that render the vault invalid? Say they specified a connection to Polygon, BSC, and Base but afterwards decided to only set to Polygon and Base?

There is no fix to this issue that doesn't create new problems and the function is clearly doing its intended purpose.

@reednaa reednaa added the wontfix This will not be worked on label Feb 6, 2024
@betharavikiran
Copy link

What is the time window to call finishSetup() in that case ?
Unless this function is called, the vault is not ready to be used.

so, can he continue to decide for long time ? It has to be planned and executed almost immediately after deployment.
Otherwise, the vault will not be ready to use due to the below.

But, yes, suggestion above does not cover the scenario you described above.

function ready() external view override returns (bool) {
// _setupMaster == address(0) ensures the pool is safe. The setup master can drain the pool!
// _tokenIndexing[0] != address(0) check if the pool has been initialized correctly.
// The additional check is there to ensure that the initial deployment returns false.
return _setupMaster == address(0) && _tokenIndexing[0] != address(0);
}

@reednaa
Copy link
Collaborator

reednaa commented Feb 7, 2024

What is the time window to call finishSetup() in that case ?

There is no time window. Someone could technically run the vault forever without calling finishSetup. This would let them modify the connections if they wanted. Within a certain (trusted) group of people this might be desired.

@betharavikiran
Copy link

betharavikiran commented Feb 7, 2024 via email

@reednaa
Copy link
Collaborator

reednaa commented Feb 7, 2024

It will indicate it for each specific vault. To figure out if a pool is final, you have to check all connected vaults.

@betharavikiran
Copy link

betharavikiran commented Feb 7, 2024 via email

@reednaa reednaa removed the bug Something isn't working label Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@betharavikiran @reednaa