`depositGasAnycallConfig` will fail due to unnecessary `wrappedNativeToken.withdraw`

[code423n4]

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/RootBridgeAgent.sol#L1219-L1222 https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/RootBridgeAgent.sol#L848-L852

Vulnerability details

Impact

depositGasAnycallConfig will fail because an extra wrappedNativeToken.withdraw is made.

Proof of Concept

function depositGasAnycallConfig() external payable {
    _replenishGas(msg.value);
}

function _replenishGas(uint256 _executionGasSpent) internal {
    wrappedNativeToken.withdraw(_executionGasSpent);
    IAnycallConfig(IAnycallProxy(localAnyCallAddress).config()).deposit{value: _executionGasSpent}(address(this));
}

When an EOA calls depositGasAnycallConfig, ether is sent to the contract. However, an unnecessary wrappedNativeToken.withdraw is performed.

Tools Used

Manual

Recommended Mitigation Steps

Move wrappedNativeToken.withdraw(_executionGasSpent); outside _replenishGas to Line 1172

function anyExecute(bytes calldata data) {
    ......
    if (initialGas > 0) {
++      wrappedNativeToken.withdraw(_executionGasSpent);
        _payExecutionGas(userFeeInfo.depositedGas, userFeeInfo.gasToBridgeOut, _initialGas, fromChainId);
    }
}

Assessed type

Context

[c4-judge]

trust1995 marked the issue as duplicate of #305

[c4-judge]

trust1995 marked the issue as satisfactory

[c4-judge]

trust1995 changed the severity to 2 (Med Risk)

[c4-judge]

trust1995 marked the issue as partial-50

[trust1995]

Issue was reduced to partial 50 because not enough context was given, especially when submitting the issue as high severity, which requires concrete proof of correctness.