The use of the deprecated transfer() function for an address will inevitably make the transaction fail if:
1.The claimer smart contract does not implement a payable function.
2.The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit.
3.The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call’s gas usage above 2300.
Note - using higher than 2300 gas might be mandatory for some multisig wallets.
Proof of Concept
Check the links above
Recommended Mitigation Steps
Replace transfer() with call(). Keep in mind to check whether the call was successful by validating the return value.
re1ro
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L23 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L51 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L70 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L86 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/gas-service/AxelarGasService.sol#L128 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/gas-service/AxelarGasService.sol#L144 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L63
Vulnerability details
Impact
The use of the deprecated transfer() function for an address will inevitably make the transaction fail if: 1.The claimer smart contract does not implement a payable function. 2.The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit. 3.The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call’s gas usage above 2300. Note - using higher than 2300 gas might be mandatory for some multisig wallets.
Proof of Concept
Check the links above
Recommended Mitigation Steps
Replace transfer() with call(). Keep in mind to check whether the call was successful by validating the return value.