search

code-423n4 / 2023-09-centrifuge-findings

16 stars 14 forks source link

lack of failsafe mechanism to replay the failed transaction between source chain and destination chain. This would lead to loss of funds to user when transaction is failed. #759

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/InvestmentManager.sol#L69 https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/PoolManager.sol#L78 https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/gateway/routers/axelar/Router.sol#L24 https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/gateway/Messages.sol#L8

Vulnerability details

Impact

When the transaction fails in any of chain ( source or destination), it never be replayed. This would lead to loss of assets if the the transaction is target for token transfer. Similarly other issue can happen.

Proof of Concept

Centrifuge used the cross chain messaging mechanism to connect with different chain with centrifuge chain.

The message (transaction payload) is built in source chain and relayed to destination chain. In destination chain the transaction is completed.

For example, the tokens are burnt or locked in the source chain and event is emitted and this message is relayed to destination chain. The destination chain either mint new tokens or do some other functionality depend on user request.

when the transaction fails on the destination chain, it left silently. One possible reason could be, due to spike in gas price, the transaction would revert on the destination chain.

As an example we can see the handleExecutedCollectRedeem, which is initiated in source chain by Manager contract.

Before calling the gateway contract, tokens transaction and burning is done.

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/InvestmentManager.sol#L272-L274

After this, the message is relayed to destination chain and then the token minting is or asset transfer will be done.

But, when the transaction fails on the destination chain, they will not be replayed again.

Tools Used

Manual review.

Recommended Mitigation Steps

We recommend to capture the failed transactions and replay. or, collect those failed transaction and notify the user by emitting event. So that they can be allowed to redo the transaction.

Assessed type

Error

c4-pre-sort commented 1 year ago

raymondfam marked the issue as low quality report

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #26

c4-judge commented 1 year ago

gzeon-c4 marked the issue as unsatisfactory: Invalid