code-423n4 / 2022-07-axelar-findings

0 stars 0 forks source link

Use `call()` instead of `transfer()` while dealing with `eth` #189

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L86 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L63

Vulnerability details

Impact

The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:
The claimer smart contract does not implement a payable function.
The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit.
The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300.

Proof of Concept

function receiveAndUnwrapNative(address payable refundAddress, address payable recipient) external {
  .......................
    IWETH9(wrappedTokenAddress).withdraw(amount);
    recipient.transfer(amount);
    .........
  }

Tools Used

manual analysis
Recommended Mitigation Steps
Use call()

GalloDaSballo commented 2 years ago

See #203

re1ro commented 2 years ago

Duplicate of #4