search

code-423n4 / 2023-07-axelar-findings

2 stars 0 forks source link

funds can be stolen in `InterchainGovernance`, `Multisig` and `AxelarServiceGovernance` contracts #469

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/cgp/governance/InterchainGovernance.sol#L68 https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/cgp/governance/Multisig.sol#L30 https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/cgp/governance/AxelarServiceGovernance.sol#L48

Vulnerability details

Impact

In InterchainGovernance users can execute the proposal by passing required data and the amount of native value they want to send with executeProposal function, this function calls _call function in Caller contract, but this function insted of checking msg.value it checks to see if current balance of contract is greater than the arbitrary nativeValue passed to function. So this means they can steal funds from contract without sending any value to the contract and set the nativeValue amount to balance of the contract.

In Multisig.sol::execute and AxelarServiceGovernance.sol::executeMultisigProposal it's also the same scenario insted only signers are allowed to call the functions.

Proof of Concept

Here is the _call function in Caller contract which checks the current balance of the contract

    function _call(
        address target,
        bytes calldata callData,
        uint256 nativeValue
    ) internal {
        if (nativeValue > address(this).balance) revert InsufficientBalance();

        (bool success, ) = target.call{ value: nativeValue }(callData);
        if (!success) {
            revert ExecutionFailed();
        }
    }

Tools Used

Manual Review

Recommended Mitigation Steps

You should check to see if msg.value is equal to nativeValue.

if (nativeValue != msg.value) revert InsufficientBalance();

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as duplicate of #466

c4-judge commented 1 year ago

berndartmueller marked the issue as unsatisfactory: Invalid