code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-cudos/blob/de39cf3cd1f1e1cf211819b06d4acf6a043acda0/solidity/contracts/CosmosToken.sol#L4

Vulnerability details

In the current implementation, CosmosERC20.sol#totalSupply() will always return MAX_UINT, which is not the actual totalSupply of the token.

The totalSupply() function should return the actual supply bridged from Cosmos in order to represent the total number of outstanding tokens on Ethereum.

Recommendation

Change to:

contract CosmosERC20 is ERC20 {
    uint256 MAX_UINT = 2**256 - 1;
    address private gravityAddress;

    constructor(
        address _gravityAddress,
        string memory _name,
        string memory _symbol,
        uint8 _decimals
    ) public ERC20(_name, _symbol) {
        _setupDecimals(_decimals);
        gravityAddress = _gravityAddress;
        _mint(_gravityAddress, MAX_UINT);
    }

    function totalSupply() public view virtual override returns (uint256) {
        return MAX_UINT - balanceOf(gravityAddress);
    }
}

V-Staykov commented 2 years ago

We consider the total supply to represent really the total supply of the token. The amount of tokens that are locked on the bridge contract are considered as representing the tokens on the cosmos network since they can't be used in circulation unless bridged.

albertchon commented 2 years ago

Yes this is a design choice

code-423n4 / 2022-05-cudos-findings

`CosmosERC20.sol#totalSupply()` should return the actual supply bridged from Cosmos #101

Lines of code

Vulnerability details

Recommendation