In the Macro review audit it was identified that the delegate argument in connext.xcall, and that is used inside the bundle actions: _crossTransfer and _crossTransferWithCalldata is subject to a vulnerabilitiy. Previously the delegate was set as the msg.sender. However, it would be best to have the delegate as is own argument.
In _crossTransfer:
function _crossTransfer(
bytes memory params,
address beneficiary
)
internal
override
returns (address)
{
(
uint256 destDomain,
uint256 slippage,
address asset,
uint256 amount,
address receiver,
address sender,
address delegate
) = abi.decode(params, (uint256, uint256, address, uint256, address, address, address));
...
bytes32 transferId = connext.xcall(
// _destination: Domain ID of the destination chain
uint32(destDomain),
// _to: address of the target contract
receiver,
// _asset: address of the token contract
asset,
// _delegate: address that has rights to update the original slippage tolerance
// by calling Connext's forceUpdateSlippage function
delegate,
// _amount: amount of tokens to transfer
amount,
// _slippage: can be anything between 0-10000 becaus
// the maximum amount of slippage the user will accept in BPS, 30 == 0.3%
slippage,
// _callData: empty because we're only sending funds
""
);
In _crossTransferWithCalldata:
function _crossTransferWithCalldata(
bytes memory params,
address beneficiary
)
internal
override
returns (address beneficiary_)
{
(
uint256 destDomain,
uint256 slippage,
address asset,
uint256 amount,
address delegate,
bytes memory callData
) = abi.decode(params, (uint256, uint256, address, uint256, address, bytes));
...
bytes32 transferId = connext.xcall(
// _destination: Domain ID of the destination chain
uint32(destDomain),
// _to: address of the target contract
routerByDomain[destDomain],
// _asset: address of the token contract
asset,
// _delegate: address that can revert or forceLocal on destination
delegate,
// _amount: amount of tokens to transfer
amount,
// _slippage: can be anything between 0-10000 becaus
// the maximum amount of slippage the user will accept in BPS, 30 == 0.3%
slippage,
// _callData: the encoded calldata to send
callData
);
In the Macro review audit it was identified that the
delegate
argument in connext.xcall, and that is used inside the bundle actions: _crossTransfer and _crossTransferWithCalldata is subject to a vulnerabilitiy. Previously thedelegate
was set as the msg.sender. However, it would be best to have the delegate as is own argument.In _crossTransfer:
In _crossTransferWithCalldata: