This vulnerability allows anyone to make a cross-chain calls with multiple compose messages, and execute the messages (all except the first one) as the OFT contract.
Vulnerability Details
The OFT tokens (USDO, TOFT, mTOFT) delegate the lzReceive() execution to the Omnichain receiver that inherits from TapiocaOmnichainReceiver. This means that the cross-chain messages (send via Layer Zero) are handled by _lzCompose function from TapiocaOmnichainReceiver.
The first parameter of the function (srcChainSender_) represents the sender of the message on the source chain. The main compose message is executed with correct value of srcChainSender_ parameter.
However, the nested messages will be executed with address(this) as the srcChainSender_ – it means that the operation will be executed on behalf of OFT token.
The next message is retrieved by the decodeToeComposeMsg function.
The sendPacket function accepts any bytes for _composeMsg parameter, which is forwarded to the same function in TapiocaOmnichainSender contract. There, it is passed to _buildOFTMsgAndOptions without any modification and, in the end, it is encoded using LayerZero’s OFTMsgCodec library – again, with no modification.
That said, the sender has full control over the compose message and can specify any number of nested messages (represented as _nextMsg).
Impact
HIGH – Anyone is able to execute operations in Tapioca on behalf of the OFT tokens.
Recommendation
Execute next messages with current value of srcChainSender_ as the first parameter to the _lzCompose recurrent call.
References
Meet Composable Security
Get throughly tested by the creators of Smart Contract Security Verification Standard
