search

code-423n4 / 2023-07-axelar-findings

2 stars 0 forks source link

InterchainTokenService doesn‘t support executeWithToken, but the call succeeds silently #300

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/its/interchain-token-service/InterchainTokenService.sol#L575 https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/gmp-sdk/executable/AxelarExecutable.sol#L43

Vulnerability details

Impact

InterchainTokenService doesn‘t support executeWithToken, but the call succeeds silently. This will cause the user's funds to be stuck in the contract

Proof of Concept

    function _execute(
        string calldata sourceChain,
        string calldata sourceAddress,
        bytes calldata payload
    ) internal virtual {}

    function _executeWithToken(
        string calldata sourceChain,
        string calldata sourceAddress,
        bytes calldata payload,
        string calldata tokenSymbol,
        uint256 amount
    ) internal virtual {}

In AxelarExecutable, there are two call methods: execute and executeWithToken. InterchainTokenService inherits AxelarExecutable. However, executeWithToken is not overwritten, resulting in a silent success call. The correct approach is to prohibit calls to executeWithToken, like InterchainGovernance:

    function _executeWithToken(
        string calldata, /* sourceChain */
        string calldata, /* sourceAddress */
        bytes calldata, /* payload */
        string calldata, /* tokenSymbol */
        uint256 /* amount */
    ) internal pure override {
        revert TokenNotSupported();
    }

The process is as follows:

  1. The user sends a InterchainTokenService.executeWithToken message in the source chain
  2. The Gateway tag message can be executed
  3. Anyone can call InterchainTokenService.executeWithToken with silent success, the message is marked as executed and funds are locked.

Tools Used

Manual review

Recommended Mitigation Steps

  1. Call InterchainTokenService.executeWithToken should revert to avoid the message is marked as executed
  2. Allow users to cancel unexecuted message to release locked funds

Assessed type

Context

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as primary issue

c4-sponsor commented 1 year ago

deanamiel marked the issue as sponsor disputed

deanamiel commented 1 year ago

This is intended behavior since callContractWithToken should do nothing at this point in time.

c4-judge commented 1 year ago

berndartmueller marked the issue as unsatisfactory: Invalid