Remediations to Trail of Bits Audit
Additional issues discovered
- Routers have no way to unenroll a domain and the potential workaround of enrolling the zero address for that domain fails due to
EnumerableMap.contains
semantics - Mailbox
recipientIsm
view call reverts if a message recipient does not implementinterchainSecurityModule()
but has a non-compliant fallback function - Mailbox
dispatch
reverts with underflow ifmsg.value
is not greater than required value in theMailbox.dispatch()
or possibly allows a user to circumvent required fees with preexistingaddress(mailbox).balance
Changes
-
1ecfc46 v3 Router changes (#2752)
- Restructured the
solidity/
subdirectory for better navigation and readability. - Internal
_dispatch()
function takes in argument_value
to pass to the mailbox forMailboxClient
andRouter
contracts. - Removed the duplicated local Openzeppelin's
CrossChainEnabled
library and replaced as a dependency. (Openzeppelin has removed the library from their repo (at release 5.0.0) but our dependency is pointing to the release ^4.8.0 before the removal) - Directly calling
getAnnouncementDigest()
inValidatorAnnounce
(now aMailboxClient
) instead of theValidatorAnnouncements
library. - Removed the
IInterchainAccountRouter
andIInterchainQueryRouter
interfaces which were previously not being used anywhere except forInterchainAccountRouter
andInterchainQueryRouter
contracts. HypERC20Collateral
,HypNative
, andHypERC721Collateral
and their subsequent dependents adopt the new constructor signature fromTokenRouter
and omit theinitialize()
function made redundant because of their inheritance ofMailboxClient__initialize()
HypERC721
now correctly transfer ownership to themsg.sender
instead of the mailbox.
- Restructured the
-
c91f589 Security Patch 1: Add explicit Router unenrollment (#2760)
- Added a
unenrollRemoteRouter()
function to theRouter
contract to allow for removing a remote router from the local router'sEnumerableMapExtended
registry (useful for non-active routers). Similarily, theremove()
has been added toDomainRoutingIsm
to allow for removing a domain from the ISM'sEnumerableMapExtended
registry. DefaultFallbackRoutingIsm
also inherits fromMailboxClient
.
- Added a
-
bf3d3c4 Security Patch 2: Make recipient security module resilient to non-reverting empty fallback (#2767)
- Resolve the case when the recipient contract doesn't specify their own ISM by omitting a
interchainSecurityModule()
function but including a fallback function. In this case, the Mailbox'srecipientIsm
function reverts by trying to decode empty bytes.
- Resolve the case when the recipient contract doesn't specify their own ISM by omitting a
-
8e4f2bb Make factory implementations verifiable (#2761)
- Renaming abstract static factories for more clarity and making the
implemetation()
function public on the specific factory contracts for easier offchain querying.
- Renaming abstract static factories for more clarity and making the
-
a60ec18 Unify overheardIgp and igp (#2766)
- Consolidating
InterchainGasPaymaster
andOverheadIgp
into a singleInterchainGasPaymaster
contract to remove the "inner IGP" design making it more accessible to deploy and interact with.DomainGasConfig
struct now stores the gas oracle address and the gas overhead (accounting for remote chain'sMailbox.process()
andISM.verify()
function calls in the gas calculation).
- Consolidating
-
d69d76a Security Patch 3: Underflow in Mailbox dispatch and error messages (#2769)
- Adding a check on the
msg.value
to be greater than required value in theMailbox.dispatch()
to throw a more descriptive error in the required hook instead of an underflow in the mailbox. Otherwise, if the mailbox has sufficientmsg.value
prior to the dispatch and the user overrides the default hook, she can circument paying for the dispatch.
- Adding a check on the