[M-02] Incorrect call argument in THORChain_Router::_transferOutAndCallV5
, leading to grief/steal of THORChain_Aggregator
's funds or DoS
#55
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
edited-by-warden
M-01
primary issue
Highest quality submission among a set of duplicates
🤖_12_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/main/ethereum/contracts/THORChain_Router.sol#L368
Vulnerability details
Impact
When transferring a token, which is of type fee-on-transfer, in
THORChain_Router::_transferOutAndCallV5
, the token is first deposited to theTHORChain_Aggregator
and thenTHORChain_Aggregator::swapOutV5
is called with the same amount. The call will always revert if theTHORChain_Aggregator
does not have tokens or grief/steal (depending on the token) ofTHORChain_Aggregator
's tokens.An example of a fee-on-transfer token that is in the whitelist is
PAXG
see hereLoss of funds that are locked and waiting to be rescued in the
THORChain_Aggregator
Proof of Concept
To reproduce this, please add the following test fee-on-transfer token.
Create a file inside
ethereum/contracts
with the nameFeeOnTransferToken.sol
Paste this inside:
The next step is to add a test with this token. Because the other tests are with hard-coded gas asset assertion values, the easiest way is to add new test. Create a file in
ethererum/test
(next to other tests) and paste this:Tools Used
Manual Review
Recommended Mitigation Steps
Consider creating a safeTransfer function, similar to the safeTransferFrom:
Add this below
THORChain_Router::safeTransferFrom
In
THORChain_Router::_transferOutAndCallV5
Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: