Closed code423n4 closed 2 years ago
This is not possible to transfer a token from mainnet, to schain 1 to schain2. IMA is restricted to one cross-chain transfer only (tokens are only able to be transferred from an "origin Chain" to a "destination chain" and no further). This was covered in docs in the audit readme, here: https://docs.skale.network/ima/1.2.x/getting-started#_tokens_move_by_one_chain
Per the sponsors provided documentation, the POC is invalidated, making the finding invalid
Lines of code
https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/schain/TokenManagers/TokenManagerERC20.sol#L112-L123 https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/schain/TokenManagers/TokenManagerERC20.sol#L308-L312 https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/mainnet/DepositBoxes/DepositBoxERC20.sol#L158 https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/mainnet/DepositBoxes/DepositBoxERC20.sol#L306-L308
Vulnerability details
Impact
When tokens are transferred from one schain to another schain, the outgoing messages are not transmitted to the mainnet receiver. The amount of tokens on the receiving schain will increase but when exiting on mainnet with the full amount, it will cause underflow in
DepositBoxERC20.postMessage
when callingbecause
transferredAmount[receivingSchain][token]
on mainnet is not updated with the transfer, thus having less than the full amount.This will trap the tokens on the receiving schain unless it is willing to be transferred back to the previous schain to exit to mainnet.
Proof of Concept (ERC20)
When ERC20 token is transferred from schain1 to schain2, the record in
DepositBoxERC20
intransferredAmount[schain1][token]
andtransferredAmount[schain2][token]
do not change. This is because callingtriggers only one outgoing message to the target schain in
_exit
functionWhen the user intends to withdraw the increased amount to mainnet, it won't succeed because in
postMessage
inDepositBoxERC20
,will pass but the next line
will revert due to underflow as
transferredAmount[schain2][token]< amount
.Tools Used
Recommended Mitigation Steps
When transferring tokens from one schain to another, one can either go through exit to mainnet en route or post Outgoing message to both the target schain as well as mainnet receiver.