Open c4-bot-10 opened 3 months ago
kupermind (sponsor) confirmed
0xA5DF marked the issue as selected for report
0xA5DF marked the issue as satisfactory
@0xA5DF I reported this in my QA report as L-03, would you consider upgrading it to a duplicate?
On the other hand, my finding #21 is currently marked as a duplicate of this finding, but is actually a duplicate of #5.
Fair enough, upgraded and changed the dupe
Fixed
Lines of code
https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/ArbitrumDepositProcessorL1.sol#L119-L192 https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/WormholeDepositProcessorL1.sol#L59-L98 https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/WormholeTargetDispenserL2.sol#L89-L124
Vulnerability details
In multiple bridges, in
_sendMessage
there is acost
variable which is usually obtained by calling the bridge integration gas price estimator.The problem is that when
msg.value
>cost
, sincecost
is usually dynamic, themsg.value
-cost
will not be refunded to the transaction originator.For instance, for the Wormhole integrator below:
WormholeTargetDispenserL2.sol#L89-L124
A
cost
is returned fromquoteEVMDeliveryPrice
that reflects the gas cost of executing the cross-chain transaction for the given gas limit ofgasLimitMessage
.When this
sendPayloadToEvm
is called,cost
amount will be sent for the cross-chain transaction, but themsg.value
-cost
will remain stuck and not refunded to the user.Affects multiple areas of the codebase, see links to affected code.
Impact
msg.value
-cost
will remain stuck and not refunded to the user.Tools Used
Manual
Recommended Mitigation Steps
Refund
msg.value
-cost
totx.origin
Assessed type
Other