Closed code423n4 closed 1 year ago
closing as invalid, the docs already clear state what the failure scenario should be
onTokenTransfer(uint256 _from, uint256 _amount, bytes _data): Triggers any additional behavior by the receiver after the tokens have been transferred. The L1 sender address is available in _from, the amount of tokens in _amount, and the additional (usually ABI-encoded) data sent from L1 is available in _data. If the function reverts, the token transfer will revert, so the retryable ticket can be retried until it expires. Therefore it’s recommended that this function only reverts in critical failure scenarios, otherwise the transferred tokens will be lost.
Lines of code
https://github.com/code-423n4/2022-10-thegraph/blob/309a188f7215fa42c745b136357702400f91b4ff/contracts/l2/gateway/L2GraphTokenGateway.sol#L244 https://github.com/code-423n4/2022-10-thegraph/blob/309a188f7215fa42c745b136357702400f91b4ff/contracts/gateway/ICallhookReceiver.sol#L18-L22
Vulnerability details
Impact
onTokenTransfer should return a magicValue that is validated after. If a magicValue is not returned or incorrectly returned, it may possible that onTokenTransfer is failed but not reverted or it is a different onTokenTransfer implementation than the one we are looking for.
Proof of Concept
There aren't any return values that indicate whether onTokenTransfer is a success or not.
Recommended Mitigation Steps
onTokenTransfer should returns a magicValue that is validated after in finalizeInboundTransfer.