code-423n4 / 2023-07-axelar-findings

2 stars 0 forks source link

A reorg on the origin chain after a proposal has been validated will result in loss of funds for the protocol #499

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-axelar/blob/main/contracts/interchain-governance-executor/InterchainProposalSender.sol#L88

Vulnerability details

Impact

The protocol will lose the funds that the user sent to the origin chain InterchainProposalSender contract for the proposal.

Proof of Concept

When a proposal gets submitted it gets reviewed by validators on the Axelar network and then receives a validation on the destination chain so it can get executed by the execution contract there. The issue here arises because of chain reorgs, which happen on certain chains relatively frequently. For example, Polygon has multiple chain reorgs daily, and most of them have a depth of more than 1 block. One of the longest block reorgs that happened recently on Polygon even had a depth of 157 blocks(6 minutes). https://forum.polygon.technology/t/157-block-reorg-at-block-height-39599624/11388 https://polygonscan.com/blocks_forked

The validation of transactions with Polygon as an origin chain takes 6-7 minutes on average. This is just over the amount of time the reorg mentioned above took.

Take the following scenario into account:

  1. Bob creates a proposal on Polygon to Mainnet that sends 1 ETH to an arbitrary amount and has a stipend of 1 million gas. This comes out to around 1.1 ETH in value.
  2. 6 minutes and 20 seconds pass and Bob's transaction gets validated on the Axelar network and also gets approved on the destination chain's executor contract. A relayer picks it up and executes it successfully.
  3. Polygon reorgs with a depth of 170 blocks, which is just above the time it took the transaction to get executed. As a result, all of the funds Bob sent on Polygon are still in his wallet.

Tools Used

Manual Review

Recommended Mitigation Steps

I am not exactly sure what can be done to prevent it on the protocol's side other than increasing the validation wait times further.

Assessed type

Other

0xSorryNotSorry commented 1 year ago

InterchainProposalSender does not transfer tokens but emits the payload for the execution on the destination chain.

Invalid assumption.

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

c4-judge commented 1 year ago

berndartmueller marked the issue as unsatisfactory: Invalid