search

code-423n4 / 2022-07-axelar-findings

0 stars 0 forks source link

Fee-On-Transfer Token Will Cause Accounting Issue Within `AxelarGasService` Contract #157

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L12 https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L35 https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L98

Vulnerability details

The following functions within the AxelarGasService contract accept ERC20 tokens:

If the ERC20 tokens are Fee-On-Transfer Token, it will cause an accounting issue within the AxelarGasService contract as the amount received by the contract is different from the amount emitted within the event.

Proof-of-Concept

POC for payGasForContractCall and payGasForContractCallWithToken are similar to addGas, thus they are omitted for brevity

Consider the AxelarGasService.addGas function. Assume that the gasToken is a Fee-On-Transfer token called XYZ that charges a 5% transfer fee.

If Alice called the addGas function with gasToken set to XYZ and gasFeeAmount set to 100, then the contract will only receive 95 XYZ tokens while an event with gasFeeAmount equal to 100 is emitted.

https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L98

function addGas(
    bytes32 txHash,
    uint256 logIndex,
    address gasToken,
    uint256 gasFeeAmount,
    address refundAddress
) external override {
    _safeTransferFrom(gasToken, msg.sender, gasFeeAmount);

    emit GasAdded(txHash, logIndex, gasToken, gasFeeAmount, refundAddress);
}

Impact

This will create a discrepancy between the information in the on-chain events and the actual number of tokens received by the contract.

Axelar's microservice or third-party external services that are listening to the on-chain event will be fed with inaccurate data, thus causing accounting issues within the system.

Recommendation

Ensure that Fee-On-Transfer tokens are not used as gas token within the system.

re1ro commented 2 years ago

Duplicate of #16

GalloDaSballo commented 2 years ago

Dup of #178