search

code-423n4 / 2022-07-axelar-findings

0 stars 0 forks source link

Functions that send Ether to arbitrary destinations #193

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L16 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L23 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L44 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L51 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L63 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L70 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L71 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L86

Vulnerability details

M-1. Functions that send Ether to arbitrary destinations

Description

Unprotected call to a function that allow a user to refund to another address.

Mitigation

Ensure that an arbitrary user cannot withdraw unauthorized funds.

Lines in the code

ReceiverImplementation.receiveAndSendToken

ReceiverImplementation.sol#L16 ReceiverImplementation.sol#L23

ReceiverImplementation.receiveAndSendNative

ReceiverImplementation.sol#L44 ReceiverImplementation.sol#L51 ReceiverImplementation.sol#L63

ReceiverImplementation.receiveAndUnwrapNative

ReceiverImplementation.sol#L70 ReceiverImplementation.sol#L71 ReceiverImplementation.sol#L86

GalloDaSballo commented 2 years ago

See comment above: https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L14

GalloDaSballo commented 2 years ago

Disputing per my own comment, the contracts are "routing contracts" they will be called by another contract