Funds can be stolen because of approval + send #10
Labels
3 (High Risk)
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor confirmed
Yes, this is a problem and we intend to fix it.
Handle
cmichel
Vulnerability details
Vulnerability Details
The
fulfill
transaction on the receiving chain first approves thetxData.callTo
contract with thetoSend
amount.It then tries to call the
addFunds
andexecute
actions ontxData.callTo
.When any of the calls reverts, the funds are sent to the
txData.receivingAddress
.Note this is a different attack from "Funds are sent twice on
callTo
errors". Assume that issue was already fixed and it would only send out the transfer once.The
txData.callTo
is user-controlled and an attacker can deploy a contract to this address and revert on all calls.They then receive the funds once (or twice if other issue was not fixed) through the direct
LibAsset.transferAsset(txData.receivingAssetId, payable(txData.receivingAddress), toSend)
call.Afterwards, as the approval was given to
callTo
, the attacker can send a transaction to theircallTo
contract totransferFrom(TransactionManager, toSend)
again.Impact
The receiver can get twice the amounts of funds that the router agreed to (and locked up).
This allows stealing all added liquidity in the contract by an attacker engaging in cross-chain transfers with themselves.
Recommended Mitigation Steps
Giving approvals to arbitrary contracts is very dangerous. It should probably be removed completely.
If it's really desired, at least reset the approval to 0 again at the end of the
fulfill
function such thatcallTo
must have usedtransferFrom
within the same transaction in theexecute
call.The text was updated successfully, but these errors were encountered: