Token recipient is an inaccessible address for contracts #514
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-406
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/bridge/SourceBridge.sol#L61-L82
https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/bridge/DestinationBridge.sol#L85-L114
https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/bridge/DestinationBridge.sol#L337-L353
Vulnerability details
Impact
The
msg.sender
address from theSourceBridge.burnAndCallAxelar
function is used by theDestinationBridge._mintIfThresholdMet
function as theTOKEN
recipient. However, themsg.sender
address will not be controllable by contracts on L2, so any tokens will be lost.Proof of Concept
The
SourceBridge.burnAndCallAxelar
function constructs thepayload
:The
payload
then is decoded at theDestinationBridge._execute
function and used to save transaction parameters in thetxnHashToTransaction
mapping as theTransaction(srcSender, amt)
structure.The
DestinationBridge._mintIfThresholdMet
uses the parameters for the tokens minting:So if the
burnAndCallAxelar
function is called by a contract the tokens will be minted to a wrong address (not the contract address at the destination chain ).Tools Used
Manual review
Recommended Mitigation Steps
Consider specifying recipients for any token transfers or reverting in the case of the sender is not an EOA.
Assessed type
Other
The text was updated successfully, but these errors were encountered: