Closed howlbot-integration[bot] closed 3 months ago
trust1995 marked the issue as not a duplicate
trust1995 marked the issue as unsatisfactory: Invalid
This one does not uncover the impact of the previously dupped issues. The impact is non-existent because the router should not hold funds anyways.
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/733dbe7cd7eef0dffc5e8a2d02e36bf74b196eff/ethereum/contracts/THORChain_Router.sol#L246-L250 https://github.com/code-423n4/2024-06-thorchain/blob/733dbe7cd7eef0dffc5e8a2d02e36bf74b196eff/ethereum/contracts/THORChain_Router.sol#L255-L259
Vulnerability details
Impact
Any ETH contained in the
THORChain_Router
either sent to the contract mistakenly or any other means can be stolen by a malicious vault. This would be achieved using the transferOutV5 or batchTransferOutV5 function.Proof of Concept
THORChain_Router::transferOutV5
allows users transfer of ETH to other vaults. This calls_transferOutV5
as can be seen below.Within
_transferOutV5
, the amount entered intransferOutPayload
is transferred to the recipient address.The amount of ETH sent is not dependent on the msg.value but rather on the vault's crafted calldata
transferOutPayload
. Therefore, by inputting the value of ETH in the THORChain_Router contract, the vault can send the ETH out of the Router contract to any recipient address which can be another contract controlled by them.Tools Used
Manual Review
Recommended Mitigation Steps
transferOutV5
transactions, If token to transfer is ETH, then msg.value should be cached as a safeAmount and then substracted on every iteration. If safeAmount gets below 0, then msg.value sent with the transaction is exhausted and then transaction should continue or revert if msg.value is insufficient.Assessed type
ETH-Transfer