Closed c4-bot-10 closed 3 months ago
trust1995 marked the issue as unsatisfactory: Invalid
Thank you for reviewing my report. I would like to provide further clarification on the issue to highlight its validity and potential impact.
In the transferOutV5()
and batchTransferOutV5()
functions allows excess Ether sent during a transaction to remain in the contract. This excess Ether can be subsequently retrieved by any user, including malicious actors, by executing transferOutV5
without any actual Ether amount sent while executing (which is proofed under poc section), leading to unintended loss of funds.
I kindly request reconsideration of this finding, as addressing this issue will enhance the contract's robustness and protect user funds.
Hi, the issue is well understood. However, the standard judging practice is to assume user is not reckless and will not send an incorrect amount of ETH in the contract.
Thank you for your response and for clarifying the standard judging practice. I appreciate your point regarding user behavior.
However, I would like to emphasize that the transferOutV5
function is primarily intended to be called by THORChain vaults. These calls are the culmination of a series of procedures, which, whether by human or machine error, could result in an incorrect Ether amount being sent.
In examining the transferOut
and other functions in the V4 version, it is evident that these functions do not tolerate such discrepancies, indicating that errors can and do occur. Therefore, it seemed prudent to highlight this issue to prevent potential disruptions.
My intention with this report was to enhance the robustness of the contract and ensure the security of user funds. While user error is always a factor, the potential for this issue to be exploited in a malicious context should not be overlooked.
I appreciate your time and effort.
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/e3fd3c75ff994dce50d6eb66eb290d467bd494f5/ethereum/contracts/THORChain_Router.sol#L391 https://github.com/code-423n4/2024-06-thorchain/blob/e3fd3c75ff994dce50d6eb66eb290d467bd494f5/ethereum/contracts/THORChain_Router.sol#L397
Vulnerability details
Impact
The
transferOutV5
andbatchTransferOutV5
functions in theTHORChain_Router
contract do not return excess Ether to the sender when the amount of Ether sent (msg.value
) exceeds the specified transfer amount (transferOutPayload.amount
). This oversight leaves excess Ether in the contract, which can be subsequently retrieved by any user, including malicious actors. This can lead to a significant loss of funds and potentially disrupt the normal operations of the contract.Proof of Concept
The vulnerability can be demonstrated by sending more Ether than the specified transfer amount in a call to
transferOutV5
. The excess Ether remains in the contract and can be taken by any subsequent user.Test Case (Foundry)
Tools Used
Recommended Mitigation Steps
To prevent this vulnerability, the
transferOutV5
andbatchTransferOutV5
function should be modified to handle excess Ether correctly. One approach is to revert the transaction if excess Ether is sent, ensuring that the contract does not retain any unclaimed Ether. Alternatively, the contract could be modified to automatically refund any excess Ether to the sender (the vault).Assessed type
Other