trust1995
commented
1 year ago msg.value is intentionally sent to the Bridge. The amount checked against is expectedEth, which is not accurate so it is not possible to send only that and refund the user.
Closed code423n4 closed 1 year ago
trust1995
commented
1 year ago msg.value is intentionally sent to the Bridge. The amount checked against is expectedEth, which is not accurate so it is not possible to send only that and refund the user.
0xean
commented
1 year ago dupe of #217 - waiting for sponsor to confirm its invalid.
0xean
commented
1 year ago see #36 / invalid.
Lines of code
https://github.com/code-423n4/2022-10-thegraph/blob/main/contracts/gateway/L1GraphTokenGateway.sol#L191
Vulnerability details
Impact
In function
outboundTransfer, if users sends more msg.value than required, (by accident), then the remaining msg.value is not sent back. So, ifmsg.value> amount argument, then the excess msg.value is not sent back to msg.sender. This causes loss of funds for the user.Proof of Concept
https://github.com/code-423n4/2022-10-thegraph/blob/main/contracts/gateway/L1GraphTokenGateway.sol#L191
Tools Used
Manual review
Recommended Mitigation Steps
Refund the excess msg.value to msg.sender