Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Approval is not reset if the call to IFulfillHelper fails #31

Open
code423n4 opened this issue Jul 11, 2021 · 1 comment
Open

Approval is not reset if the call to IFulfillHelper fails #31

code423n4 opened this issue Jul 11, 2021 · 1 comment
Assignees
@LayneHaber
Labels
3 (High Risk) bug Something isn't working sponsor confirmed Yes, this is a problem and we intend to fix it.

Comments

@code423n4
Copy link
Contributor

Handle

pauliax

Vulnerability details

Impact

Function fulfill first approves the callTo to transfer an amount of toSend tokens and tries to call IFulfillHelper but if the call fails it transfers these assets directly. However, in such case the approval is not reset so a malicous callTo can pull these tokens later:
// First, approve the funds to the helper if needed
if (!LibAsset.isEther(txData.receivingAssetId) && toSend > 0) {
require(LibERC20.approve(txData.receivingAssetId, txData.callTo, toSend), "fulfill: APPROVAL_FAILED");
}

    // Next, call `addFunds` on the helper. Helpers should internally
    // track funds to make sure no one user is able to take all funds
    // for tx
    if (toSend > 0) {
      try
        IFulfillHelper(txData.callTo).addFunds{ value: LibAsset.isEther(txData.receivingAssetId) ? toSend : 0}(
          txData.user,
          txData.transactionId,
          txData.receivingAssetId,
          toSend
        )
      {} catch {
        // Regardless of error within the callData execution, send funds
        // to the predetermined fallback address
        require(
          LibAsset.transferAsset(txData.receivingAssetId, payable(txData.receivingAddress), toSend),
          "fulfill: TRANSFER_FAILED"
        );
      }
    }

Recommended Mitigation Steps

Approve should be placed inside the try/catch block or approval needs to be reset if the call fails.
@code423n4 code423n4 added 3 (High Risk) bug Something isn't working labels Jul 11, 2021
code423n4 added a commit that referenced this issue Jul 11, 2021
@code423n4
pauliax issue #31
be432fa
@LayneHaber LayneHaber added the sponsor confirmed Yes, this is a problem and we intend to fix it. label Jul 12, 2021
This was referenced Jul 12, 2021
Closed
Closed
Closed
@LayneHaber LayneHaber self-assigned this Jul 13, 2021
@LayneHaber LayneHaber mentioned this issue Jul 14, 2021
Merged
@LayneHaber
Copy link
Collaborator

connext/monorepo#39

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LayneHaber LayneHaber

Labels
3 (High Risk) bug Something isn't working sponsor confirmed Yes, this is a problem and we intend to fix it.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LayneHaber @code423n4