Closed howlbot-integration[bot] closed 3 months ago
@olegpetroveth - what do you think here? Seems like the gas asset should just be sent to the user right?
Caught up with @olegpetroveth - this is an intentional design decision, so adding "sponsor disputed"
trust1995 marked the issue as unsatisfactory: Invalid
The docs should be improved, but it does not qualify as a security risk.
I believe the issue should be valid.
It is safer to send the ETH directly to the user because sending them to the aggregator represents a risk for them to be stolen by another party.
As soon as ETH are on the aggregator, anyone can call the swapOutV5()
function with an arbitrary recipient as long as the fromAsset
is ETH to swap them for another asset.
Even though there is a rescue function, the following hurdles are encountered:
swapOutV5()
before the rescue occursThe issue should not be overlooked and should be considered as a risk leading to a loss of funds for the protocol users
@the-eridanus can you confirm if a failed TX will end up storing the funds in the aggregator, where they can be potentially taken by another party?
As soon as ETH are on the aggregator, anyone can call the swapOutV5() function with an arbitrary recipient as long as the fromAsset is ETH to swap them for another asset.
I feel like that this assumption is wrong, the given aggregator contract is just an example implementation. And tbh a very loosely implementation, if we make any assumption based on that contract, there will be ton of other issues
Because the aggregator is OOS, and this finding depends on a badly implemented aggregator, the finding is OOS indeed.
trust1995 marked the issue as unsatisfactory: Out of scope
I mean, Uniswap V2 pairs also require tokens to be sent into the contract before swapping the tokens and has no rescue function or mecanism to send back the tokens in case something goes wrong but this does not make it a badly implemented contract. It is how users interact with it that can turn it into a risk.
I agree the aggregator is OOS but the root cause of the identified issue resides in the THORChain_Router
contract which is definitely in-scope. Applying the recommended mitigation step would get rid of potential risks related to the interaction with any ("loosely implemented") aggregator and would align with the initial intention of the developers which was to "send the recipient the gas asset".
Doing so, the protocol won't be making "any assumption based on that contract" and would simply take safety measures to discard any unexpected behavior.
I mean, Uniswap V2 pairs also require tokens to be sent into the contract before swapping the tokens and has no rescue function or mecanism to send back the tokens in case something goes wrong but this does not make it a badly implemented contract. It is how users interact with it that can turn it into a risk.
I agree the aggregator is OOS but the root cause of the identified issue resides in the
THORChain_Router
contract which is definitely in-scope. Applying the recommended mitigation step would get rid of potential risks related to the interaction with any ("loosely implemented") aggregator and would align with the initial intention of the developers which was to "send the recipient the gas asset".Doing so, the protocol won't be making "any assumption based on that contract" and would simply take safety measures to discard any unexpected behavior.
The reason the router doesn't sent the recipient the gas asset is the protocol cannot know if the recipient can even receive ETH. For example, the recipient could be a smart contract wallet that consumes more gas than expected, which would mean the transfer would fail and outbound dropped. Instead, the pattern is decided that the aggregator will receive the ETH and prepared to do so with the proper rescueFunds function. This is a conscious design decision.
I understand, thank you for your feedback.
The aggregator being OOS for the audit, I can't debate about the risks the design decision may represent. Just as I explained before, the way the aggregator is currently implemented opens the door for a malicious actor to frontrun the rescueFunds function by calling swapOutV5()
and receive the funds waiting to be rescued.
Hope this note will be taken into account in the mitigation process anyway.
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/main/ethereum/contracts/THORChain_Router.sol#L324
Vulnerability details
Impact
Inside
THORChain_Router::_transferOutAndCallV5
when transferring the gas asset and the call to theaggregationPayload.target
fails, the gas asset according to the comment next to the incorrect line, documentation andTHORChain_Router::_transferOutV5
, should be sent to the recipient, not to theaggregationPayload.target
The recipient will never receive gas asset and the funds of the vault will be lost
Proof of Concept
Please add a test to an existing file, so add a new test file called for example
6_Incorrect_Recipient.js
and paste the code from below. The code asserts that USER1 tries to swap ETH for tokens and send them to USER2 but theTHORChain_Aggregator::swapOutV5
fails and the Aggregator receives the refund, not USER2 as expected.Tools Used
Manual Review
Recommended Mitigation Steps
Change the recipient to the correct one
Inside
THORChain_Router::_transferOutAndCallV5
change:Assessed type
ETH-Transfer