Omniscia Evergon Labs Audit

OmnichainFungibleTokenDO Manual Review Findings

OFT-01M: Incorrect Encoding of Callback Payload

Type	Severity	Location
Logical Fault		OmnichainFungibleTokenDO.sol:L453

Description:

The IOmnichainFungibleTokenOperations::omnichainIncreaseBalanceCallback function selector as an operation will result in the OmnichainFungibleTokenDO::_omnichainCallback function being invoked which will attempt to decode a bool from the opData.

As the data supplied is empty rather than true, the decoding operation will fail causing a cross-chain LayerZero transaction that cannot be executed to manifest.

Impact:

Repeated omni-chain transfer attempts that were executed before the transaction was successfully processed will result in hanged cross-chain callback transactions.

Example:

contracts/dataobjects/omnichain/OmnichainFungibleTokenDO.sol

449function _omnichainIncreaseBalance(DataPoint dp, bytes32 rid, OmnichainAddress from, OmnichainAddress to, uint256 amount) internal returns (bytes memory) {
450    (, address toAddress) = OmnichainAddresses.decode(to);
451    if (_successfullOmnichainRequests[rid]) {
452        // Return data for callback call without any actions
453        return abi.encode(dp, IOmnichainFungibleTokenOperations.omnichainIncreaseBalanceCallback.selector, "");
454    }
455    _successfullOmnichainRequests[rid] = true;
456
457    bytes32 diidTarget = _diid(dp, toAddress);
458    DiidData storage diiddTarget = _diidData(dp, diidTarget);
459    _increaseBalance(diiddTarget, amount, dp, OTHER_CHAIN_FROM_DIID);
460    _increaseLocalTotalSupply(dp, amount);
461
462    // Notify handlers
463    // We are making external call within try/catch, it will revert if any of the handlers fail, but we will catch and handle it
464    bool success;
465    try this.callIncreaseBalanceHandlersAndRevertOnFail(dp, from, toAddress, amount) {
466        success = true;
467    } catch {
468        // Here we catch all errors, not only IncreaseBalanceCallbackHandlerFailed, because we need to send something back to original chain in any case
469        success = false;
470    }
471
472    if (!success) {
473        // Revert increase balance
474        _decreaseBalance(diiddTarget, amount, dp, diidTarget);
475        _decreaseLocalTotalSupply(dp, amount);
476    }
477
478    // Return data for Callback call
479    return abi.encode(dp, IOmnichainFungibleTokenOperations.omnichainIncreaseBalanceCallback.selector, abi.encode(success));
480}

Recommendation:

We advise the code to properly encode the true status code so as to ensure that the callback is properly executed and acts as a "no-op" in case an omni-chain transfer was retried multiple times before it was successfully executed.

Alleviation (c6b23c23d8bcd8cce85049ad959cbd711a37126b):

The overall logic around omni-chain request statuses was updated to incorporate a CallResult value and the callback payload in both referenced statements will ensure that a bool value is encoded rather than an empty one, addressing this exhibit in full.

OFT-02M: Improper Refund Address

Type	Severity	Location
Logical Fault		OmnichainFungibleTokenDO.sol:L433

Description:

The referenced OmnichainProxy function invocation will assume that the caller themselves owns the same address on the target chain which is incorrect as many L2s employ address masking, especially in the context of smart contract refund recipients (i.e. multi-signature wallets).

Impact:

A cross-chain message's surplus or failure may result in unspent native funds being erroneously sent to an incorrect / inaccessible refund recipient, resulting in minor fund loss.

Example:

contracts/dataobjects/omnichain/OmnichainFungibleTokenDO.sol

421function _retryIncreaseOmnichainBalance(bytes32 rid) internal nonReentrant {
422    PendingOmnichainTransfer memory pot = _pendingOmnichainTransfers[rid];
423    (uint32 toChainId, ) = OmnichainAddresses.decode(pot.to);
424    bytes memory data = abi.encode(rid, pot.from, pot.to, pot.amount);
425    bytes32 retryRid = _proxy.queryDataObjectWrite{value: msg.value}(
426        toChainId,
427        address(this), // Address of DO on target chain is same on all chains
428        pot.dp,
429        IOmnichainFungibleTokenOperations.omnichainIncreaseBalance.selector,
430        data,
431        OMNICHAIN_INCREASE_BALANCE_GAS_LIMIT,
432        OMNICHAIN_INCREASE_BALANCE_CALLBACK_GAS_LIMIT,
433        payable(_msgSender())
434    );
435    emit OmnichainRetryIncompleteOmnichainIncreaseBalanceSent(rid, retryRid);
436}

Recommendation:

We advise the system to permit a different refund address to be specified, ensuring that message refund operations are executed correctly.

Alleviation (c6b23c23d8bcd8cce85049ad959cbd711a37126b):

The refund address was updated to be the result of an input argument, alleviating this exhibit.

Omniscia Evergon Labs Audit

OmnichainFungibleTokenDO Manual Review Findings

OmnichainFungibleTokenDO Manual Review Findings

OFT-01M: Incorrect Encoding of Callback Payload

Description:

Impact:

Example:

Recommendation:

Alleviation (c6b23c23d8bcd8cce85049ad959cbd711a37126b):

OFT-02M: Improper Refund Address

Description:

Impact:

Example:

Recommendation:

Alleviation (c6b23c23d8bcd8cce85049ad959cbd711a37126b):

OmnichainFungibleFractionsDO.sol (OFF-M)

OmnichainIdentifiers.sol (OIS-M)

On this page