c4-judge
commented
1 year ago trust1995 marked the issue as primary issue
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago trust1995 marked the issue as primary issue
c4-judge
commented
1 year ago trust1995 marked the issue as duplicate of #786
c4-judge
commented
1 year ago trust1995 marked the issue as satisfactory
c4-judge
commented
1 year ago trust1995 marked the issue as partial-50
c4-judge
commented
1 year ago trust1995 marked the issue as not a duplicate
c4-judge
commented
1 year ago trust1995 marked the issue as duplicate of #786
c4-judge
commented
1 year ago trust1995 changed the severity to 2 (Med Risk)
c4-judge
commented
1 year ago trust1995 marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/RootBridgeAgent.sol#L831-L846 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/BranchBridgeAgent.sol#L1061-L1085
Vulnerability details
When a crosschain transaction fails,
anyFallback()will be executed and_payFallbackGas()will deduct the fallback execution cost from user's deposited gas. However, the remaining deposited gas after deduction is not refunded to the user and is locked within the contract.Impact
User will lose the unconsumed gas deposit as there is no functions to withdraw it.
Recommended Mitigation Steps
Refund the remaining gas deposit to user after deduction of fallback execution cost.
Assessed type
Other