Closed howlbot-integration[bot] closed 3 months ago
trust1995 marked the issue as unsatisfactory: Invalid
I would like to have an explanation about why the issue has been invalidated.
From my understanding of this part of the code, it seems that the native assets are sent to the wrong address in case the swap fails.
The swap is executed on the contract at address aggregationPayload.target
and the fallback mecanism sends the ETH back to this same contract (e.g. aggregationPayload.target
) while it was intended to be sent to the recipient of the swap initially.
trust1995 marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/main/chain/ethereum/contracts/THORChain_Router.sol#L324
Vulnerability details
Impact
Loss of funds
Potential profit for a malicious party
Proof of concept
The
_transferOutAndCallV5()
allows a Vault to swap native ETH to any ERC20 token supported by the protocol through theswapOutV5()
function called on an aggregator.https://github.com/code-423n4/2024-06-thorchain/blob/main/chain/ethereum/contracts/THORChain_Router.sol#L304-L328
In case the swap fails (out-of-gas or some obscure reasons), the protocol implements a "fallback" mechanism which consists of "just send the recipient the gas asset" as stated by the comment.
In reality, the gas asset is transferred to the aggregator
aggregationPayload.target
not the recipient, which would beaggregationPayload.recipient
.If we abstract from the developers comment and the actual intention was to send the gas asset to the aggregator, another issue occurs : the gas assets will remain on the aggregator contract.
This allows anyone to call the
swapOutV5()
function on the aggregator to swap the gas assets to another token resulting in these being effectively stolen from the legitimate user it belonged to.In both scenarios, the current implementation introduces a vulnerability for the users of the protocol.
Tools used
Manual review
Recommended mitigation steps
Send the gas asset to
aggregationPayload.recipient
rather thanaggregationPayload.target
.Doing so will result in the legitimate user to receive its funds even if the swap failed.
Assessed type
ETH-Transfer