The CrossAnchorBridge contract accepts any ERC20 token and transfers them to the wormhole bridge. There were allowlist checks on the tokens before, but they were commented out in this version for the audit. If a user transfers, for example, non-supported collateral to the bridge contract, the bridge on the Ethereum side will accept it, but the lending market on the Terra side will reject it. As a result, the transferred token could be lost in the bridge contract and is unrecoverable.
Uncomment the allowlist checks in the referenced lines of code. Besides, would suggest adding functionality to add or remove tokens from the allowlist dynamically.
GalloDaSballo
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L173 https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L251 https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/cross-chain-contracts/ethereum/CrossAnchorBridge.sol#L256
Vulnerability details
Impact
The
CrossAnchorBridgecontract accepts any ERC20 token and transfers them to the wormhole bridge. There were allowlist checks on the tokens before, but they were commented out in this version for the audit. If a user transfers, for example, non-supported collateral to the bridge contract, the bridge on the Ethereum side will accept it, but the lending market on the Terra side will reject it. As a result, the transferred token could be lost in the bridge contract and is unrecoverable.Proof of Concept
The following allowlist checks in the
CrossAnchorBridgeare commented out: CrossAnchorBridge.sol#L173 CrossAnchorBridge.sol#L251 CrossAnchorBridge.sol#L256However, there are allowlist restrictions on the tokens on the money market contracts, for example: overseer/src/collateral.rs#L37 overseer/src/collateral.rs#L99 overseer/src/state.rs#L77-L89
Recommended Mitigation Steps
Uncomment the allowlist checks in the referenced lines of code. Besides, would suggest adding functionality to add or remove tokens from the allowlist dynamically.