Use of depreciated OZ Function isContract(), can be bypassed

[c4-bot-10]

Lines of code

https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/bridge/Bridge.sol#L493

Vulnerability details

Impact

Bypass Logic to Verify if Caller is a Contract (Deprecated by OZ)

Proof of Concept

The processMessage() calls the _invokeMessageCall() function to invoke the message call which in turn checks if the to value is a contract or not and if it is, then it assigns false value to success_ parameter (L495).

However, OZ's official docs state that isContract function can return false for an address where a contract lived but, but was destroyed and also, the function has been deprecated. In which case the following condition:

     if (
            _message.data.length >= 4 // msg can be empty
                && bytes4(_message.data) != IMessageInvocable.onMessageInvocation.selector
                && _message.to.isContract()
        ) {
            success_ = false;
        } else {
            --snip--
        }

will resolve as false and the funds will get transferred regardless.

Tools Used

Manual audit (VS Code)

Recommended Mitigation Steps

Make a function that verifies their EOA status with 2 calls that must be on 2 different blocks.

Assessed type

call/delegatecall

[c4-pre-sort]

minhquanym marked the issue as insufficient quality report

[minhquanym]

Consider QA

[c4-judge]

0xean marked the issue as unsatisfactory:
Overinflated severity