Closed code423n4 closed 2 years ago
An array of all the added gas is created and, in order in which they were received, gas is consumed until the amount required is found. Then the leftover gas can be refunded to the users specified. Frontrunning will just result in your gas being money being lost first. Adding more gas means you will be able to get it refunded the amount you added (if the user added enough gas) but you will need to pay for gas anyway you end up losing money.
Frontrunner [1, 9999] Spent = 500 Remaining = 500
Assuming that the refunds are capped at the amount added, the frontrunner will either receive 1 token back or 0
Either they risked for nothing or they lost.
Because the logic for determining the refund is not in scope and is not available to me I cannot add further thoughts.
However, given the logic discussed above I think the finding is invalid and frontrunners will just donate their gas to the caller
Lines of code
https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/gas-service/AxelarGasService.sol#L98
Vulnerability details
Impact
Anybody is allowed to add gas for a specific tx. I was trying to figure out whether the following scenarios are possible:
addGas()
for Alice's tx hash. So he adds some gas for it and specifies his own refund addressor
The idea is that Bob somehow overrides or sets the initial value for the gas refund so that any excess gas after Alice's tx is not sent to the address she specified but to Bob's. That way he could steal some funds.
I didn't manage to find the logic in https://github.com/axelarnetwork/axelar-core that handles the refunds. After asking the sponsor about it, I was told that the repo for that is private for now. So I wasn't able to check whether the issue is valid or not.
It depends on the way the refunds are stored. Is there only a single refund object for each tx hash that keeps track of the total amount and the refund address? Then you might have a problem.
I still decided to submit it here so that the sponsor is able to verify it on their own. I rate it as MED because it impacts the gas refunds and thus funds of a user.
Tools Used
none
Recommended Mitigation Steps
Hard to say because of missing information on how the gas refunds are handled in the node code. An easy solution would be to only allow the "owner" of a tx to be able to increase the gas for it.