Open code423n4 opened 2 years ago
Issue raised is acknowledged and work is assigned on the roadmap. SKALE Chain owners must ensure any mapped assets, either through manual or automatic mapping are compatible with their dApp(s). Manual mapping mode is the default mode for bridge operation.
I agree with both sides of the argument, and because this is contingent on configuration and admin privilege, believe Medium Severity to be more appropriate
Lines of code
https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/schain/TokenManagers/TokenManagerERC20.sol#L289-L301
Vulnerability details
When moving tokens that are native on the origin schain, to another schain,
TokenManagerERC20.sol#transferToSchainERC20()
will be called, which calls_exit()
->_receiveERC20()
:https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/schain/TokenManagers/TokenManagerERC20.sol#L289-L301
https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/schain/TokenManagers/TokenManagerERC20.sol#L351-L361
However, on the target schain, while handling the inbound message with
postMessage()
->_sendERC20()
, whencontractOnSchain
isfalse
, The transaction will fail with"Automatic deploy is disabled"
whenautomaticDeploy == false
:https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/schain/TokenManagers/TokenManagerERC20.sol#L227-L235
As a result, any tokens that are locked in the origin schain by the user will be frozen in the contract.
Recommendation
Consider adding a
mapping
storage to cache whetherautomaticDeploy
is enabled on a certain schain, the cache should be updated once theautomaticDeploy
is updated.And only allows S2S transfer when
automaticDeploy
is enabled on the target schain.To further avoid the edge case of: right after the user submitted the S2S transfer tx on the from schain, the target schain disabled
automaticDeploy
and the user's tokens can be frozen in the from schain. We can introduce a 24 hrs timelock for disablingautomaticDeploy
.