search

code-423n4 / 2022-05-cudos-findings

1 stars 0 forks source link

The ```sendToCosmos``` function does not check for transfer-on-fee/deflationary tokens #108

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

Gravity.sol#L595-L609

Vulnerability details

Impact

The documentation describes the use of tokens other than CUDOS in the Gravity.sol contract; so it is assumed that the CUDOS token will not be the only supported token. The documentation also states that validators on the Tendermint chain will use the information in the emitted event for the sendToCosmos function to determine the amount of tokens to be minted on the Tendermint side.

For transfer-on-fee/deflationary tokens, where the final _amount emitted may not be the same as the _amount in, the emitted amount value in SendToCosmosEvent could be incorrect. This could result in a mismatch of the balance between the Ethereum side and the Tendermint side for the account.

Proof of Concept

  1. Ethereum Account sends 100 tokens (transfer-on-fee tokens) to Gravity.sol using the sendToCosmos function.
  2. After the transfer, the amount of tokens actually sent to Gravity.sol is less than _amount (eg. 90 tokens).
  3. The sendToCosmos function emits the original amount (100 tokens).
  4. The validators on the Tendermint side use the emitted amount (100 tokens) value to determine how many tokens to mint instead of the actual amount received by Gravity.sol.

Tools Used

Recommended Mitigation Steps

Check the balance of the Gravity contract before the transfer and again after the transfer in sendToCosmos. The emitted amount should be the difference of the 2 balances.

mlukanova commented 2 years ago

Duplicate of #3