Malicious user can permanently break InterchainProposalExecutor#_executeProposal by returning huge amounts of data

[code423n4]

Lines of code

https://github.com/code-423n4/2023-07-axelar/blob/main/contracts/interchain-governance-executor/InterchainProposalExecutor.sol#L76

Vulnerability details

Impact

InterchainProposalExecutor#_executeProposal makes a call to interchaincall to send the value. It then stores the return data of the call in memory. A malicious user could set the interchaincall target to a malicious contract that would return an extremely large data amount that would guaranteed cause an OOG error when loaded to memory. The result is that would be permanently locked causing massive loss

Proof of Concept

see impact

Tools Used

manuel

Recommended Mitigation Steps

Cap the data returned or don't store the return data at all

Assessed type

call/delegatecall

[0xSorryNotSorry]

The submission does not provide any demonstration of the issue, reasoning and code blocks.

[c4-pre-sort]

0xSorryNotSorry marked the issue as low quality report

[c4-judge]

berndartmueller marked the issue as unsatisfactory: Insufficient quality