search

code-423n4 / 2022-03-lifinance-findings

6 stars 4 forks source link

Incorrect implementation of the `_startBridge` function in `CBridgeFacet` #209

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/CBridgeFacet.sol#L150-L156

Vulnerability details

Impact

The _startBridge function in CBridgeFacet is to bridge the tokens to CBridge by calling the sendNative or send function on the bridge contract. However, when calling the sendNative function, no native token is sent to the bridge. The sendNative call always fails because the CBridge side checks whether the exact _cBridgeData.amount of native tokens are provided. If not, it reverts the transaction.

Proof of Concept

Take the Ethereum CBridge V2 as an example. The sendNative function ensures the exact amount of native tokens are provided at line 64.

function sendNative(
 address _receiver,
 uint256 _amount,
 uint64 _dstChainId,
 uint64 _nonce,
 uint32 _maxSlippage
) external payable nonReentrant whenNotPaused {
 require(msg.value == _amount, "Amount mismatch");
 require(nativeWrap != address(0), "Native wrap not set");
 bytes32 transferId = _send(_receiver, nativeWrap, _amount, _dstChainId, _nonce, _maxSlippage);
 IWETH(nativeWrap).deposit{value: _amount}();
 emit Send(transferId, msg.sender, _receiver, nativeWrap, _amount, _dstChainId, _nonce, _maxSlippage);
}

CBridgeFacet.sol#L150-L156

Recommended Mitigation Steps

Consider sending _cBridgeData.amount amount of native tokens when calling the sendNative function, for example:

ICBridge(bridge).sendNative{ value: _cBridgeData.amount }(
 _cBridgeData.receiver,
 _cBridgeData.amount,
 _cBridgeData.dstChainId,
 _cBridgeData.nonce,
 _cBridgeData.maxSlippage
);

Also, add a payable keyword to the sendNative function in the ICBridge interface.

H3xept commented 2 years ago

Duplicate of #35

gzeoneth commented 2 years ago

Changing to Med Risk as no fund is lost.