Closed code423n4 closed 1 year ago
0xSorryNotSorry marked the issue as primary issue
deanamiel marked the issue as disagree with severity
Corrected Severity: QA The owner (governance) can change the operator by forcing an upgrade, and thus can control flow limits.
Corrected Severity: QA The owner (governance) can change the operator by forcing an upgrade, and thus can control flow limits.
Agree. Downgrading to QA (Low).
berndartmueller changed the severity to QA (Quality Assurance)
berndartmueller marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/its/interchain-token-service/InterchainTokenService.sol#L530-L549
Vulnerability details
Impact
README.md (Scope->
FlowLimit.sol
) states that flow limits "act as a security measure to minimize damage of exploits". It is also written (Scope->Operatable.sol
) that the Axelar Service Governance contract will be the operator of the Interchain Token Service, and naturally, inInterchainTokenService.sol
, the functionsetFlowLimits
is restricted toonlyOperator
.However, when I asked the sponsor on Discord who the owner of
InterchainTokenService.sol
will be, dean.axelar#1908 responded that the README.md is in fact incorrect. He stated that the owner of theInterchainTokenService.sol
will be the AxelarServiceGovernance, and the operator will be privately controlled Axelar team Multisig.As a result, Axelar Governance will be unable to call
setFlowLimits
, preventing AXL owners from reacting to exploits. This is a dangerous centralization of power because only the main Axelar team will be able to activate this protective measure. Since this issue may indirectly result in loss of funds, as the ability to react to fund-draining exploits will be compromised, this issue is of Medium severity.Note that even if the operator of
InterchainTokenService.sol
was the Axelar Governance, they would then not be able to callsetPaused
, as it is restricted toonlyOwner
. This contradicts the README again (Scope->Pausable.sol): "This contract provides a mechanism to halt the execution of specific functions on the interchain token service if a paused by the governance operator."This strongly indicates that, regardless of who is intended to be the Owner and/or the Operator of
InterchainTokenService.sol
, there is clearly confusion within the Axelar team regarding who will have access to these critical control functions inInterchainTokenService.sol
.Tools Used
VSCode
Recommended Mitigation Steps
As
setFlowLimits
andsetPaused
are critical control functions inInterchainTokenService.sol
and are meant to mitigate exploits, they should both be callable by Axelar Governance. Whether the Axelar Governance is the operator or the owner ofInterchainTokenService.sol
is a matter of semantics; Axelar Governance just needs to be given access to these functions.If the Axelar Governance is meant to be the owner of
InterchainTokenService.sol
, the following will fix the issue:Assessed type
Access Control