Closed code423n4 closed 2 years ago
If bridging fails in any facet other than cBridge the function will revert, returning all the tokens. In the case of cBridge, the refund is not automatically issued, so there's no risk of funds being stuck in the contract.
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/CBridgeFacet.sol#L161-L168
Vulnerability details
https://github.com/celer-network/sgn-v2-contracts/blob/b0cf02c15e25f66279420e3ff6a8b2fe07404bab/contracts/Bridge.sol#L53-L54
As per the documentation and comments on CBridge's code:
For whatever reason that makes a bridging order end up refunded by the bridge operator, for example: cBridge, they will send the funds back to
transfer.sender
, which will be the diamond contract of li.fi.https://github.com/celer-network/sgn-v2-contracts/blob/fcc40a30579c030c2a458c7e3b23cbc42295eedb/contracts/message/apps/BatchTransfer.sol#L90-L98
In the current implementation, these refunds will just sit in the contract and the rightful owners of the funds wont have a way to claim their funds.
In essence, once the bridging order failed, the user will lose all their funds.
PoC
There is no way for Alice to get back the 100 USDC.
And actual, the 100 USDC can be stolen by an attacker, see: [WP-H6], [WP-H7].
Recommendation
Consider adding a new method to refund users, in which you should check and set the refund status by the orderId and make sure one orderId cant be refunded more than once.