Immunefi
Published in

Immunefi

Aurora Withdrawal Logic Error Bugfix Review

Summary

Aurora Introduction

Bridges

Technical background on Aurora and Rainbow Bridge

Solidity
struct BurnResult {
uint128 amount;
address recipient;
address ethCustodian;
}
Rust
/// withdraw result for eth-connector
#[derive(BorshSerialize)]
#[cfg_attr(not(target_arch = “wasm32”), derive(BorshDeserialize))]
pub struct WithdrawResult {
pub amount: NEP141Wei,
pub recipient_id: Address,
pub eth_custodian_address: Address,
}

Vulnerability

Rust
#[no_mangle]
pub extern “C” fn view() {
let mut io = Runtime;
let env = ViewEnv;
let args: ViewCallArgs = io.read_input_borsh().sdk_unwrap();
let current_account_id = io.current_account_id();
let engine = Engine::new(args.sender, current_account_id, io, &env).sdk_unwrap();
let result = Engine::view_with_args(&engine, args).sdk_unwrap();
io.return_output(&result.try_to_vec().sdk_expect(“ERR_SERIALIZE”));
}
Solidity
// SPDX-License-Identifier: GPL-3.0
pragma solidity >=0.7.0 <0.9.0;
contract Echo {
function echo(bytes memory payload) public pure {
assembly {
let pos := mload(0x40)
mstore(pos, mload(add(payload, 0x20)))
mstore(add(pos, 0x20), mload(add(payload, 0x40)))
return(pos, 51)
}
}}
  • An amount to withdraw written in little-endian notation, for example, 0x0000000000f06381960a000000000000
  • Address of the receiver on Ethereum blockchain, for example, 0x1111111122222222333333334444444455555555
  • EthCustodian address (the one which will be processing withdraw on the Ethereum side), for example, 0x6666666677777777888888889999999911111111
  • Proof data is associated with the transaction that did happen on the NEAR blockchain
  • The executor_id is the Aurora contract
  • Data from the proof will be correctly deserialized to the BurnResult struct
  • The deserialized data contains the EthCustodian contract’s address

Vulnerability Fix

Acknowledgements

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Immunefi

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.