When a user bridges a native token via the startBridgeTokensViaCBridge function of CBridgeFacet, the contract checks whether msg.value >= _cBridgeData.amount holds. In other words, if a user accidentally sends more native tokens than he has to, the contract accepts it but only bridges the _cBridgeData.amount amount of tokens. The rest of the tokens are left in the contract and can be recovered by anyone (see another submission for details).
Notice that in the similar functions of other facets (e.g., AnyswapFacet, HopFacet), the provided native token is ensured to be the exact bridged amount, which effectively prevents the above scenario of loss of funds.
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/CBridgeFacet.sol#L68
Vulnerability details
Impact
When a user bridges a native token via the
startBridgeTokensViaCBridge
function ofCBridgeFacet
, the contract checks whethermsg.value >= _cBridgeData.amount
holds. In other words, if a user accidentally sends more native tokens than he has to, the contract accepts it but only bridges the_cBridgeData.amount
amount of tokens. The rest of the tokens are left in the contract and can be recovered by anyone (see another submission for details).Notice that in the similar functions of other facets (e.g.,
AnyswapFacet
,HopFacet
), the provided native token is ensured to be the exact bridged amount, which effectively prevents the above scenario of loss of funds.Proof of Concept
CBridgeFacet.sol#L68
Recommended Mitigation Steps
Consider changing
>=
to==
at line 68.