Closed c4-bot-4 closed 5 months ago
cryptotechmaker (sponsor) disputed
Invalid.
Tokens are sent by PrepareLzCallReturn memory prepareLzCallReturn = _prepareLzSend(_asset, _lzSendParam, _lzSendGas, _lzSendVal);
Hi @cryptotechmaker, from what I can observe in the code here:
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarBaseModule.sol#L131-L199
the prepareLzCallReturn
function is crafted, but it's not utilized to send the packet. Only the prepareLzCallReturn2
is dispatched.
Also I think the #62 and #59 are not the duplications of this issue as well since they refer to a different problem.
dmvt marked the issue as unsatisfactory: Invalid
dmvt marked the issue as unsatisfactory: Invalid
dmvt marked the issue as unsatisfactory: Invalid
@dmvt I believe this issue is valid because in the _lzCustomWithdraw
function, prepareLzCallReturn
is crafted but it's not utilized to send the packet. Only prepareLzCallReturn2
is used to send the packet, which doesn't send any tokens. Therefore, tokens will be stuck as this function will not send tokens cross-chain. You can see the code snippet above to confirm.
dmvt removed the grade
dmvt marked issue #62 as primary and marked this issue as a duplicate of 62
Hi @cryptotechmaker, from what I can observe in the code here: https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarBaseModule.sol#L131-L199 the
prepareLzCallReturn
function is crafted, but it's not utilized to send the packet. Only theprepareLzCallReturn2
is dispatched.Also I think the #62 and #59 are not the duplications of this issue as well since they refer to a different problem.
dmvt changed the severity to 2 (Med Risk)
dmvt marked the issue as satisfactory
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarBaseModule.sol#L131-L171
Vulnerability details
Description
The
_withdrawToChain
function of MagnetarBaseModule is used to withdraw tokens from YieldBox shares existing in the contract and send them cross-chain to the user's recipient. This function has anunwrap
option to unwrap tokens after sending cross-chain, using the_lzCustomWithdraw
function.However, the
_lzCustomWithdraw
function only executes the lz calldata with the token amount to send being zero.As you can see in the above code snippet,
prepareLzCallReturn
was prepared as calldata to send tokens without composing a message but has not been executed. It only executesprepareLzCallReturn2
, which represents the lz calldata for a composed message. It is used for custom options after receiving tokens. However, theamountToSendLD
ofprepareLzCallReturn2
is 0, resulting in this call not sending any tokens cross-chain.Impact
Users will lose funds when they use a Magnetar function which triggers
_lzCustomWithdraw
. For example, usingwithdrawToChain()
of MagnetarYieldBoxModule with the unwrap option (data.unwrap
== true).Tools Used
Manual review
Recommended Mitigation Steps
Should pass variable from data to
amountToSendLD
andminAmountToCreditLD
to prepare calldataprepareLzCallReturn2
Assessed type
Other