Closed code423n4 closed 1 year ago
leaving open for sponsor review
I guess, This is expected and user should be extra careful while using hooks as also mentioned in the comments "Note that whitelisted senders (some protocol contracts) can include additional calldata
As @csanuragjain noted, this is expected behavior. We want the transfer to revert if the callhook fails, because this allows the ticket to be retried, assuming the failure is temporary. The proposed solution would send the tokens to the refund address, so the tokens wouldn't be lost, but this could potentially break something else in the protocol, as the message from L1 is never received.
Any callhooks that we whitelisted will be checked to ensure they don't have any paths that revert permanently except for critical errors that would indicate something else is going very wrong. Off-chain monitoring can be set up so that if anything really unexpected happens, we should be able to keep tickets alive while we fix/upgrade the destination contract to stop reverting.
With emergencyCallhookRefund switch (default to false), the transfer will revert by default and allow the user to retry with retryable ticket as intended. It helps in an extreme case where you can't fix that contract. Without emergencyCallhookRefund switch, the fund may be lost forever. But if you set emergencyCallhookRefund to true, you may bridge the fund back to the source chain and retry again on the newly deployed contract. However, it is up to you to implement it or not.
downgrading to QA
dupe of #168 - wardens QA report
Lines of code
https://github.com/code-423n4/2022-10-thegraph/blob/309a188f7215fa42c745b136357702400f91b4ff/contracts/l2/gateway/L2GraphTokenGateway.sol#L226-L248
Vulnerability details
Impact
If the callhook never succeeds, the L2 transaction will always revert, locking the tokens on the bridge forever. This can be prevented by adding a refund mechanism and a switch to trigger an emergency refund for a particular contract.
Proof of Concept
As your comment said "Note that whitelisted senders (some protocol contracts) can include additional calldata for a callhook to be executed on the L2 side when the tokens are received. In this case, the L2 transaction can revert if the callhook reverts, potentially locking the tokens on the bridge if the callhook never succeeds."
There isn't any mechanism to prevent this from happening now.
Recommended Mitigation Steps
Adding a refund mechanism and a switch to trigger an emergency refund for a particular contract.