The _startBridge function in CBridgeFacet is to bridge the tokens to CBridge by calling the sendNative or send function on the bridge contract. However, when calling the sendNative function, no native token is sent to the bridge. The sendNative call always fails because the CBridge side checks whether the exact _cBridgeData.amount of native tokens are provided. If not, it reverts the transaction.
Proof of Concept
Take the Ethereum CBridge V2 as an example. The sendNative function ensures the exact amount of native tokens are provided at line 64.
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/CBridgeFacet.sol#L150-L156
Vulnerability details
Impact
The
_startBridge
function inCBridgeFacet
is to bridge the tokens toCBridge
by calling thesendNative
orsend
function on the bridge contract. However, when calling thesendNative
function, no native token is sent to the bridge. ThesendNative
call always fails because theCBridge
side checks whether the exact_cBridgeData.amount
of native tokens are provided. If not, it reverts the transaction.Proof of Concept
Take the Ethereum CBridge V2 as an example. The
sendNative
function ensures the exact amount of native tokens are provided at line 64.CBridgeFacet.sol#L150-L156
Recommended Mitigation Steps
Consider sending
_cBridgeData.amount
amount of native tokens when calling thesendNative
function, for example:Also, add a
payable
keyword to thesendNative
function in theICBridge
interface.