search

code-423n4 / 2022-06-connext-findings

1 stars 0 forks source link

call() should be used instead of send() on an address payable #243

Closed code423n4 closed 1 year ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/facets/BridgeFacet.sol#L875 https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/facets/RelayerFacet.sol#L149

Vulnerability details

Impact

The use of the send() function for an address will inevitably make the transaction fail when:

The claimer smart contract does not implement a payable function.
The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit.
The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300.

Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.

Proof of Concept

Impacted lines: At BridgeFacet.sol

875:         s.promiseRouter.send(_args.params.originDomain, _transferId, _args.params.callback, success, returnData);

At RelayerFacet.sol;

149:     s.relayerFeeRouter.send(_domain, _recipient, _transferIds);

Consensys Reference

Tools Used

Manual review

Recommended Mitigation Steps

I recommend using call() instead of send()

LayneHaber commented 2 years ago

This is for calling a function named send to send a crosschain message

0xleastwood commented 1 year ago

Agree, send() is a function implemented by the promise router.