Open code423n4 opened 2 years ago
This is a valid issue, it does present the ability to 'steal' tokens from the bridge, so I think that justifies the severity.
If user (A) deposits a deflationary token and gets slightly more vouchers than where actually deposited into the bridge upon withdraw they could steal tokens from user (B) who had also deposited.
reopening as per judges assessment as "primary issue" on findings sheet
Handle
shw
Vulnerability details
Impact
The
sendToCosmos
function ofGravity
transfers_amount
of_tokenContract
from the sender using the functiontransferFrom
. If the transferred token is a transfer-on-fee/deflationary token, the actually received amount could be less than_amount
. However, since_amount
is passed as a parameter of theSendToCosmosEvent
event, the Cosmos side will think more tokens are locked on the Ethereum side.Proof of Concept
Referenced code: Gravity.sol#L535 Gravity.sol#L541
Recommended Mitigation Steps
Consider getting the received amount by calculating the difference of token balance (using
balanceOf
) before and after thetransferFrom
.