search

code-423n4 / 2024-04-renzo-validation

2 stars 2 forks source link

`_relayerFee` is omitted in xcall() Invocation #469

Closed c4-bot-3 closed 6 months ago

c4-bot-3 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Bridge/L1/xRenzoBridge.sol#L265-L273

Vulnerability details

Summary

The connext.xcall() function call is missing the _relayerFee parameter in its arguments within the sendPrice() function. The correct call should include the _relayerFee as the last argument to match the expected function signature. However, this is not the case.

Proof of Concept

connext.xcall()

function xcall(
uint32 _destination,
address _to,
address _asset,
address _delegate,
uint256 _amount,
uint256 _slippage,
bytes calldata _callData,
uint256 _relayerFee // @audit This is expected
) external returns (bytes32);

The sendPrice() function below contains an incorrect call to the xcall() function of the connext contract. The xcall() function expects a _relayerFee parameter, but it is not included in the call.

sendPrice()

// @audit Incorrect call to xcall without _relayerFee
connext.xcall(
_connextDestinationParam[i].destinationDomainId,
_connextDestinationParam[i]._renzoReceiver,
address(0),
msg.sender,
0,
0,
_callData
// @audit Missing _relayerFee parameter here
);

The CCIPDestinationParam struct declared as _connextDestinationParam has three attributes to it that should be used in this call.

/**
* @notice Contains destination data for Connext xCall
*
* @param destinationChainSelector chainlink Connext destination chain domain ID
* @param _renzoReceiver xRenzoDeposit receiver contract
* @param relayerFee relayer Fee required for xCall
*/
struct ConnextDestinationParam {
uint32 destinationDomainId;
address _renzoReceiver;
uint256 relayerFee;
}

However, the connext.xcall() function call in the sendPrice() passes the _connextDestinationParam[i].destinationDomainId & _connextDestinationParam[i]._renzoReceiver as parameters but omits the _connextDestinationParam[i].relayerFee as final parameter.

This oversight could lead to unexpected behavior during execution as the xcall() function relies on the _relayerFee for its logic.

Impact

If the contract compiles (due to an interface mismatch), any transaction calling sendPrice() would likely revert because the xcall() function would not receive the expected arguments. The intended price feed update on the destination chain would not occur, potentially disrupting any dependent operations or systems that rely on up-to-date pricing information.

Tools Used

Manual Review

Recommended Mitigation Steps

Include the missing _relayerFee parameter in the xcall() invocation.

// @audit Corrected call to xcall with _relayerFee
connext.xcall(
    _connextDestinationParam[i].destinationDomainId,
    _connextDestinationParam[i]._renzoReceiver,
    address(0),
    msg.sender,
    0,
    0,
    _callData,
    _connextDestinationParam[i].relayerFee // @audit Correctly included relayer fee
);

Assessed type

Error

DadeKuma commented 6 months ago

relayerFee is an optional argument: https://docs.connext.network/developers/reference/contracts/calls#xcall

It's also included here:

connext.xcall{ value: _connextDestinationParam[i].relayerFee }

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Bridge/L1/xRenzoBridge.sol#L265

DadeKuma commented 6 months ago

@howlbot reject