The CrossAnchorBridge.sol contract interacts with the wormhole token bridge to process incoming and outgoing transactions to and from Ethereum/Terra. The handleToken() internal function will pull funds from msg.sender and publish a message to the Terra manager based on this amount. However, this function does not consider fee-on-transfer tokens where the received amount will actually be less than the sent amount. As a result, it is likely that some users will lose out if they don't exit the bridge earlier than others due to insufficient tokens in the contract.
Proof of Concept
Tools Used
Manual code review.
Recommended Mitigation Steps
Consider taking a snapshot of the token balance before and after the transfer and treat the difference between these two amounts as the received token amount. This will be compatible with all types of tokens and avoid any issues where users are unable to withdraw their entire deposited amount.
GalloDaSballo
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L177-L212
Vulnerability details
Impact
The
CrossAnchorBridge.solcontract interacts with the wormhole token bridge to process incoming and outgoing transactions to and from Ethereum/Terra. ThehandleToken()internal function will pull funds frommsg.senderand publish a message to the Terra manager based on this amount. However, this function does not consider fee-on-transfer tokens where the received amount will actually be less than the sent amount. As a result, it is likely that some users will lose out if they don't exit the bridge earlier than others due to insufficient tokens in the contract.Proof of Concept
Tools Used
Manual code review.
Recommended Mitigation Steps
Consider taking a snapshot of the token balance before and after the transfer and treat the difference between these two amounts as the received token amount. This will be compatible with all types of tokens and avoid any issues where users are unable to withdraw their entire deposited amount.