If the ERC20 tokens are Fee-On-Transfer Token, it will cause an accounting issue within the AxelarGasService contract as the amount received by the contract is different from the amount emitted within the event.
Proof-of-Concept
POC for payGasForContractCall and payGasForContractCallWithToken are similar to addGas, thus they are omitted for brevity
Consider the AxelarGasService.addGas function. Assume that the gasToken is a Fee-On-Transfer token called XYZ that charges a 5% transfer fee.
If Alice called the addGas function with gasToken set to XYZ and gasFeeAmount set to 100, then the contract will only receive 95 XYZ tokens while an event with gasFeeAmount equal to 100 is emitted.
This will create a discrepancy between the information in the on-chain events and the actual number of tokens received by the contract.
Axelar's microservice or third-party external services that are listening to the on-chain event will be fed with inaccurate data, thus causing accounting issues within the system.
Recommendation
Ensure that Fee-On-Transfer tokens are not used as gas token within the system.
Lines of code
https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L12 https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L35 https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L98
Vulnerability details
The following functions within the
AxelarGasService
contract accept ERC20 tokens:If the ERC20 tokens are Fee-On-Transfer Token, it will cause an accounting issue within the
AxelarGasService
contract as the amount received by the contract is different from the amount emitted within the event.Proof-of-Concept
Consider the
AxelarGasService.addGas
function. Assume that thegasToken
is a Fee-On-Transfer token calledXYZ
that charges a5%
transfer fee.If Alice called the
addGas
function withgasToken
set toXYZ
andgasFeeAmount
set to100
, then the contract will only receive95
XYZ tokens while an event withgasFeeAmount
equal to100
is emitted.https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L98
Impact
This will create a discrepancy between the information in the on-chain events and the actual number of tokens received by the contract.
Axelar's microservice or third-party external services that are listening to the on-chain event will be fed with inaccurate data, thus causing accounting issues within the system.
Recommendation
Ensure that Fee-On-Transfer tokens are not used as gas token within the system.