{"componentChunkName":"component---node-modules-rocketseat-gatsby-theme-docs-core-src-templates-docs-query-js","path":"/manual-review/AccessManagerOmnichainInternal-AML","result":{"data":{"mdx":{"id":"3bca376a-ba9e-5e7d-8165-9e22f77ca824","excerpt":"AML-01M: Improper Refund Addresses Type Severity Location Logical Fault AccessManagerOmnichainInternal.sol : • I-1: L83 • I-2: L141 • I-3: L16…","fields":{"slug":"/manual-review/AccessManagerOmnichainInternal-AML/"},"frontmatter":{"title":"AccessManagerOmnichainInternal Manual Review Findings","description":"Contains all the findings that relate to manual review on the contract codebase","image":null,"disableTableOfContents":null},"body":"var _excluded = [\"components\"];\n\nfunction _extends() { _extends = Object.assign || function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\n\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\n\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n\n/* @jsxRuntime classic */\n\n/* @jsx mdx */\nvar _frontmatter = {\n \"title\": \"AccessManagerOmnichainInternal Manual Review Findings\",\n \"description\": \"Contains all the findings that relate to manual review on the contract codebase\"\n};\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, _excluded);\n\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"h2\", {\n \"id\": \"span-idaml-01maml-01m-improper-refund-addressesspan\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#span-idaml-01maml-01m-improper-refund-addressesspan\",\n \"aria-label\": \"span idaml 01maml 01m improper refund addressesspan permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), mdx(\"span\", {\n id: \"AML-01M\"\n }, \"AML-01M: Improper Refund Addresses\")), mdx(\"table\", null, mdx(\"thead\", {\n parentName: \"table\"\n }, mdx(\"tr\", {\n parentName: \"thead\"\n }, mdx(\"th\", {\n parentName: \"tr\",\n \"align\": null\n }, \"Type\"), mdx(\"th\", {\n parentName: \"tr\",\n \"align\": null\n }, \"Severity\"), mdx(\"th\", {\n parentName: \"tr\",\n \"align\": null\n }, \"Location\"))), mdx(\"tbody\", {\n parentName: \"table\"\n }, mdx(\"tr\", {\n parentName: \"tbody\"\n }, mdx(\"td\", {\n parentName: \"tr\",\n \"align\": null\n }, mdx(\"a\", {\n parentName: \"td\",\n \"href\": \"/reports/evergon-labs-onchain-data-containers-67586dec2e0f7500187d6bc9/appendix/finding-types#logical-fault\"\n }, \"Logical Fault\")), mdx(\"td\", {\n parentName: \"tr\",\n \"align\": null\n }, mdx(\"img\", {\n parentName: \"td\",\n \"className\": \"o-severity o-minor\",\n \"src\": \"https://omniscia.io/report-assets/minor.png\"\n })), mdx(\"td\", {\n parentName: \"tr\",\n \"align\": null\n }, mdx(\"b\", null, \"AccessManagerOmnichainInternal.sol\"), \":\", mdx(\"br\", null), \"\\u2022 \", mdx(\"span\", {\n title: \"Instance 1\"\n }, \"I-1:\"), \" \", mdx(\"a\", {\n parentName: \"td\",\n \"href\": \"https://github.com/evergonlabs/ODC/blob/e712cb66013ac0ecf990a08d86e95fb7819e6afa/contracts/dataIndex/omnichain/AccessManagerOmnichainInternal.sol#L83\"\n }, \"L83\"), mdx(\"br\", null), \"\\u2022 \", mdx(\"span\", {\n title: \"Instance 2\"\n }, \"I-2:\"), \" \", mdx(\"a\", {\n parentName: \"td\",\n \"href\": \"https://github.com/evergonlabs/ODC/blob/e712cb66013ac0ecf990a08d86e95fb7819e6afa/contracts/dataIndex/omnichain/AccessManagerOmnichainInternal.sol#L141\"\n }, \"L141\"), mdx(\"br\", null), \"\\u2022 \", mdx(\"span\", {\n title: \"Instance 3\"\n }, \"I-3:\"), \" \", mdx(\"a\", {\n parentName: \"td\",\n \"href\": \"https://github.com/evergonlabs/ODC/blob/e712cb66013ac0ecf990a08d86e95fb7819e6afa/contracts/dataIndex/omnichain/AccessManagerOmnichainInternal.sol#L162\"\n }, \"L162\"))))), mdx(\"h3\", {\n \"id\": \"description\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#description\",\n \"aria-label\": \"description permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Description:\"), mdx(\"p\", null, \"The referenced \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"OmnichainProxy\"), \" function invocations will assume that the \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"refundAddress\"), \" specified is equivalent across chains or that the caller themselves own the same address on the target chain both of which are incorrect as many L2s employ address masking, especially in the context of smart contract refund recipients (i.e. multi-signature wallets).\"), mdx(\"h3\", {\n \"id\": \"impact\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#impact\",\n \"aria-label\": \"impact permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Impact:\"), mdx(\"p\", null, \"A cross-chain message's surplus or failure may result in unspent native funds being erroneously sent to an incorrect / inaccessible refund recipient, resulting in minor fund loss.\"), mdx(\"h3\", {\n \"id\": \"example\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#example\",\n \"aria-label\": \"example permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Example:\"), mdx(\"pre\", null, mdx(\"code\", {\n parentName: \"pre\",\n \"className\": \"language-sol\",\n \"metastring\": \"title=contracts/dataIndex/omnichain/AccessManagerOmnichainInternal.sol highlight={22,28} lineNumbers=true lineOffset=61\",\n \"title\": \"contracts/dataIndex/omnichain/AccessManagerOmnichainInternal.sol\",\n \"highlight\": \"{22,28}\",\n \"lineNumbers\": \"true\",\n \"lineOffset\": \"61\"\n }, \"function _approveOmnichainDataManagers(DataPoint dp, OmnichainAddress[] calldata dms, bool approved, address payable refundAddress) internal virtual {\\n (uint32 dpChainId, , ) = DataPoints.decode(dp);\\n ChainidTools.requireCurrentChain(dpChainId);\\n _verifyLocalSenderIsDPAdmin(dp, msg.sender);\\n\\n OmnichainProxy proxy = OmnichainSupportStorage.layout().proxy();\\n if (address(proxy) == address(0)) revert ZeroProxyAddress();\\n OmnichainAddress sender = OmnichainAddresses.encode(msg.sender);\\n // Estimate fee\\n (uint256 estimatedTotalFee, uint256[] memory estimatedFees) = _estimateApproveOmnichainDataManagers(proxy, dp, dms, approved, sender);\\n\\n // Verify we have enough funds\\n if (msg.value < estimatedTotalFee) {\\n revert NotEnoughFunds(msg.value, estimatedTotalFee);\\n }\\n // Send approvals\\n for (uint256 i; i < dms.length; i++) {\\n OmnichainAddress dm = dms[i];\\n if (estimatedFees[i] == 0) {\\n _approveLocal(dp, dm, approved, sender);\\n } else {\\n proxy.queryApproveDataManager{value: estimatedFees[i]}(dp, dm, approved, sender, REMOTE_APPROVE_DATAMANAGER_GAS_LIMIT, refundAddress);\\n }\\n }\\n // Send refund\\n if (msg.value > estimatedTotalFee) {\\n unchecked {\\n Address.sendValue(refundAddress, msg.value - estimatedTotalFee);\\n }\\n }\\n}\\n\")), mdx(\"h3\", {\n \"id\": \"recommendation\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#recommendation\",\n \"aria-label\": \"recommendation permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Recommendation:\"), mdx(\"p\", null, \"We advise the system to permit a different refund address to be specified per chain and to utilize the caller address as the intended refund recipient for any locally-unspent funds where applicable, ensuring that message refund operations are executed correctly.\"), mdx(\"h3\", {\n \"id\": \"alleviation-c6b23c23d8bcd8cce85049ad959cbd711a37126b\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#alleviation-c6b23c23d8bcd8cce85049ad959cbd711a37126b\",\n \"aria-label\": \"alleviation c6b23c23d8bcd8cce85049ad959cbd711a37126b permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Alleviation (c6b23c23d8bcd8cce85049ad959cbd711a37126b):\"), mdx(\"p\", null, \"The Evergon Labs team evaluated this exhibit and clarified that they do not intend to fix it as they anticipate refunds to solely be processed on the local chain or that the edge cases where the issue would manifest are inconsequential.\"), mdx(\"p\", null, \"After reviewing the relevant GitHub discussions and call breakdowns, we concur with this assessment and thus consider the exhibit safely acknowledged.\"));\n}\n;\nMDXContent.isMDXComponent = true;","headings":[{"depth":2,"value":"AML-01M: Improper Refund Addresses"},{"depth":3,"value":"Description:"},{"depth":3,"value":"Impact:"},{"depth":3,"value":"Example:"},{"depth":3,"value":"Recommendation:"},{"depth":3,"value":"Alleviation (c6b23c23d8bcd8cce85049ad959cbd711a37126b):"}]}},"pageContext":{"slug":"/manual-review/AccessManagerOmnichainInternal-AML/","prev":{"label":"OmnichainNonFungibleTokenDO.sol (ONF-S)","link":"/static-analysis/OmnichainNonFungibleTokenDO-ONF"},"next":{"label":"BaseDataObject.sol (BDO-M)","link":"/manual-review/BaseDataObject-BDO"}}},"staticQueryHashes":["1954253342","2328931024","2501019404","973074209"]}