mlukanova
commented
2 years ago I consider this with lower priority. Currently only the Cudos token is supported.
Closed code423n4 closed 2 years ago
mlukanova
commented
2 years ago I consider this with lower priority. Currently only the Cudos token is supported.
albertchon
commented
2 years ago Not a critical issue
Lines of code
https://github.com/code-423n4/2022-05-cudos/blob/de39cf3cd1f1e1cf211819b06d4acf6a043acda0/orchestrator/gbt/src/client/deploy_erc20_representation.rs#L91-L94
Vulnerability details
When deploying an erc20 representation, gbt would wait for 100 seconds before declaring the attempt a failure.
Since the claims process requires 2/3 of the voting power worth of validators to successfully send a tx there is a possibility that it may timeout and would result in a vague log message "double check the metadata and try again".
It may be required for waiting for a longer duration say 300 or 600 seconds and inspecting the recent attestation history to determine what may be wrong and present a message to the user that is accurate and not confusing.
Impact
Due to the vague log mesasge, it will not be possible to find out exactly why the deployment went wrong.
Proof of Concept
File : orchestrator/gbt/src/client/deploy_erc20_representation.rs Function : pub async fn deploy_erc20_representation()
Recommended Mitigation Steps
Refer to the fix in this commit : https://github.com/Gravity-Bridge/Gravity-Bridge/commit/1c674cbc83ff392d2d7312ae0f07ab1db125fd7e