search

code-423n4 / 2023-07-axelar-findings

2 stars 0 forks source link

Lack of Validation for 'destinationAddress' in 'transmitSendToken' Function May Lead to Failed Transactions #284

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/its/interchain-token-service/InterchainTokenService.sol#L502-L523

Vulnerability details

Impact

During cross-chain transactions, the address on the destinationChain, i.e., the destinationAddress, is a crucial factor since it is where the tokens will be sent to. Therefore, if this address is invalid, the transaction would fail because the tokens cannot be correctly sent to the intended recipient.

Proof of Concept

InterchainTokenService.sol#L502-L523

    function transmitSendToken(
        bytes32 tokenId,
        address sourceAddress,
        string calldata destinationChain,
        bytes memory destinationAddress,
        uint256 amount,
        bytes calldata metadata
    ) external payable onlyTokenManager(tokenId) notPaused {
        bytes memory payload;
        if (metadata.length < 4) {
            payload = abi.encode(SELECTOR_SEND_TOKEN, tokenId, destinationAddress, amount);
            _callContract(destinationChain, payload, msg.value, sourceAddress);
            emit TokenSent(tokenId, destinationChain, destinationAddress, amount);
            return;
        }
        uint32 version;
        (version, metadata) = _decodeMetadata(metadata);
        if (version > 0) revert InvalidMetadataVersion(version);
        payload = abi.encode(SELECTOR_SEND_TOKEN_WITH_DATA, tokenId, destinationAddress, amount, sourceAddress.toBytes(), metadata);
        _callContract(destinationChain, payload, msg.value, sourceAddress);
        emit TokenSentWithData(tokenId, destinationChain, destinationAddress, amount, sourceAddress, metadata);
    }

In the transmitSendToken function, we see that the destinationAddress is used directly to construct the transaction payload and then executed on the destination chain. However, there isn't a check for the validity of the destinationAddress before sending it. This means that if the function caller provides an invalid address, the transaction would fail during execution, wasting gas and potentially blocking other valid transactions.

Recommended Mitigation Steps

To address this issue, one possible solution could be to validate the destinationAddress's validity before sending the transaction. This could involve calling some service on the destination chain to check if the address exists or at least ensure that the address complies with the expected format and length. This could prevent transaction failures due to invalid addresses, thereby enhancing the robustness and security of the smart contract.

Assessed type

Invalid Validation

0xSorryNotSorry commented 1 year ago

OOS --> [MEDIUM-1] Privileged functions can create points of failure

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

berndartmueller commented 1 year ago

OOS --> [MEDIUM-1] Privileged functions can create points of failure

In this case, it's not a privileged function as it's called by the TokenManager's sendToken, callContractWithInterchainToken, and callContractWithInterchainToken functions, which are publicly callable. However, providing an invalid or wrong destination address is the caller's fault.

c4-judge commented 1 year ago

berndartmueller marked the issue as unsatisfactory: Overinflated severity