search

code-423n4 / 2023-07-axelar-findings

2 stars 0 forks source link

bypass flow limit by transferring tokens at epoch's boarder #460

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-axelar/blob/main/contracts/its/utils/FlowLimit.sol#L114 https://github.com/code-423n4/2023-07-axelar/blob/main/contracts/its/utils/FlowLimit.sol#L127

Vulnerability details

Impact

Token flow can reach 2*flow_limit in a very short time.

Proof of Concept

We store the flow out and flow in tokens numbers for every epoch:

    /**
     * @dev Returns the slot which is used to get the flow out amount for a specific epoch
     * @param epoch The epoch to get the flow out amount for
     * @return slot The slot to get the flow out amount from
     */
    function _getFlowOutSlot(uint256 epoch) internal pure returns (uint256 slot) {
        slot = uint256(keccak256(abi.encode(PREFIX_FLOW_OUT_AMOUNT, epoch)));
    }

    /**
     * @dev Returns the slot which is used to get the flow in amount for a specific epoch
     * @param epoch The epoch to get the flow in amount for
     * @return slot The slot to get the flow in amount from
     */
    function _getFlowInSlot(uint256 epoch) internal pure returns (uint256 slot) {
        slot = uint256(keccak256(abi.encode(PREFIX_FLOW_IN_AMOUNT, epoch)));
    }

        uint256 epoch = block.timestamp / EPOCH_TIME;
        uint256 slotToAdd = _getFlowInSlot(epoch);
        uint256 slotToCompare = _getFlowOutSlot(epoch);
        _addFlow(flowLimit, slotToAdd, slotToCompare, flowInAmount);

So for every new epoch, the flow out/in number will be zero, so an attacker can:

  1. At epoch1_start + EPOCH_TIME - 1, trigger a token flow reaching the limit.
  2. At epoch1_start + EPOCH_TIME, the flow out/in number stored is zeroed.
  3. At epoch1_start + EPOCH_TIME, trigger another toke flow reaching the limit.

Attackers can use this method to gain financial gain, etc.

Tools Used

Manual Review.

Recommended Mitigation Steps

Add a limit for every transfer, thus making the attack more expensive.

Assessed type

Context

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as duplicate of #484

c4-judge commented 1 year ago

berndartmueller marked the issue as not a duplicate

berndartmueller commented 1 year ago

Closing as invalid as this is intentional.

c4-judge commented 1 year ago

berndartmueller marked the issue as unsatisfactory: Invalid

0xnirlin commented 1 year ago

This unsatisfactory issue is marked as dup of #484

berndartmueller commented 1 year ago

This unsatisfactory issue is marked as dup of #484

Hey @AhmadDecoded,

this submission is not a duplicate as there's no such GitHub issue label.