search

code-423n4 / 2021-08-gravitybridge-findings

1 stars 0 forks source link

Incorrect accounting on transfer-on-fee/deflationary tokens in `Gravity` #62

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

shw

Vulnerability details

Impact

The sendToCosmos function of Gravity transfers _amount of _tokenContract from the sender using the function transferFrom. If the transferred token is a transfer-on-fee/deflationary token, the actually received amount could be less than _amount. However, since _amount is passed as a parameter of the SendToCosmosEvent event, the Cosmos side will think more tokens are locked on the Ethereum side.

Proof of Concept

Referenced code: Gravity.sol#L535 Gravity.sol#L541

Recommended Mitigation Steps

Consider getting the received amount by calculating the difference of token balance (using balanceOf) before and after the transferFrom.

jkilpatr commented 2 years ago

This is a valid issue, it does present the ability to 'steal' tokens from the bridge, so I think that justifies the severity.

If user (A) deposits a deflationary token and gets slightly more vouchers than where actually deposited into the bridge upon withdraw they could steal tokens from user (B) who had also deposited.

loudoguno commented 2 years ago

reopening as per judges assessment as "primary issue" on findings sheet