search

code-423n4 / 2022-07-axelar-findings

0 stars 0 forks source link

Tokens with fee on transfer not supported #178

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/gas-service/AxelarGasService.sol#L12 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/gas-service/AxelarGasService.sol#L46

Vulnerability details

Impact

When a fee is collected on token transfers (like USDT can do), the code can fail. Note: rebasing/deflationary/inflationary underlying tokens whose balance changes during transfers or over time has similar problems.

Suppose 100 USDT is transferred via safeTransferFrom() to the AxelarGasService contract. And a fee is applied (currently 0, but might be changed in the future). Then you might receive 99.99 USDT Now you try to do use this gas ( 100 USDT ), this will fail because the contract is 1 cent short.

Proof of Concept

https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/gas-service/AxelarGasService.sol#L12

Tools Used

Code Review

Recommended Mitigation Steps

Consider checking the transferred amount by subtracting the before & after balance.

GalloDaSballo commented 2 years ago

Function uses param instead of actual value

re1ro commented 2 years ago

Duplicate of #16

GalloDaSballo commented 2 years ago

Dup of #160