search

code-423n4 / 2023-07-axelar-findings

2 stars 0 forks source link

IF THE TRUSTED SERVICE ADDRESS IS REMOVED IN A DIFFERENT CHAIN, ALL THE PENDING TRANSACTION WILL BE ROUTED TO THE SERVICE ADDRESS OF EVM CHAIN #481

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-axelar/blob/main/contracts/its/remote-address-validator/RemoteAddressValidator.sol#L95-L100 https://github.com/code-423n4/2023-07-axelar/blob/main/contracts/its/remote-address-validator/RemoteAddressValidator.sol#L133-L138

Vulnerability details

Impact

The RemoteAddressValidator contract is used to map the destination chain to corresponding interchainTokenService contract address of that chain. There is a function called removeTrustedAddress where the owner of the contract can remove the trusted interchain token service address from the respective chain.

But this function is not controlled by a timelock. Hence if this function is executed and the existing interchainTokenService address is removed, for the live transactions coming to this service contract will be routed to the interchainTokenService contract of the ethereum chain due to the following configuration in the RemoteAddressValidator.getRemoteAddress function.

    if (bytes(remoteAddress).length == 0) {
        remoteAddress = interchainTokenServiceAddress.toString();
    }

As a result if the destinaction chain is not ethereum and the owner of the RemoteAddressValidator decides to remove the service contract by calling removeTrustedAddress, the pending transactions will now be routed to the interchainTokenServiceAddress of the ethereum chain thus breaking the protocol.

Proof of Concept

    function removeTrustedAddress(string calldata chain) external onlyOwner {
        if (bytes(chain).length == 0) revert ZeroStringLength();
        remoteAddressHashes[chain] = bytes32(0);
        remoteAddresses[chain] = '';
        emit TrustedAddressRemoved(chain);
    }

https://github.com/code-423n4/2023-07-axelar/blob/main/contracts/its/remote-address-validator/RemoteAddressValidator.sol#L95-L100

    function getRemoteAddress(string calldata chainName) external view returns (string memory remoteAddress) {
        remoteAddress = remoteAddresses[chainName];
        if (bytes(remoteAddress).length == 0) {
            remoteAddress = interchainTokenServiceAddress.toString();
        }
    }

https://github.com/code-423n4/2023-07-axelar/blob/main/contracts/its/remote-address-validator/RemoteAddressValidator.sol#L133-L138

Tools Used

Manual Review and VSCode

Recommended Mitigation Steps

Hence it is recommended to add a timelock to the removeTrustedAddress function so the users will know the service contract has been removed. So they can stop sending token transfer transactions to that destination chain till a new service contract is configured.

Assessed type

Other

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as duplicate of #254

c4-judge commented 1 year ago

berndartmueller changed the severity to QA (Quality Assurance)