Loss of token if a smart contract perform a cross-chain transfer using source bridge #499
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-406
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/bridge/SourceBridge.sol#L61
https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/bridge/DestinationBridge.sol#L90
Vulnerability details
Impact
Loss of a token ownership if a smart contract perform a cross-chain transfer using source bridge
Proof of Concept
When a caller call burnAndCallAxelar, the token is burnt on source chain
and the payload is encoded in this way:
when on the dest chain triggers _execute,
and the token is minted to srcSender, which is the same address from the source chain
but the issue is, if a smart contract call burnAndCallAxelar on source chain, the owner of the smart contract may not belong to the original caller in dest chain
in that case, the token ownership is lost
for example https://rekt.news/wintermute-rekt/
the false assumption of a mutlisig smart contract address is controlled by same owner in different network has cost 20M OP lost
Tools Used
Manual Review
Recommended Mitigation Steps
let user specify a recipient address in the source bridge when calling burnAndCallAxelar
then the recipient on dest bridge receives the minted token
Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: