Closed howlbot-integration[bot] closed 3 months ago
trust1995 changed the severity to 2 (Med Risk)
trust1995 marked the issue as not a duplicate
trust1995 marked the issue as unsatisfactory: Invalid
The issue does not uncover the revert impact, and the demonstrated impact is moot because the router does not have spare ETH.
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/e3fd3c75ff994dce50d6eb66eb290d467bd494f5/ethereum/contracts/THORChain_Router.sol#L307-L341
Vulnerability details
Description
Even if a user is supposed to interact only with
depositWithExpiry
, the functionbatchTransferOutAndCallV5
is external and callable by anyone.In the external function
batchTransferOutAndCallV5
, in the case offromAsset
being address(0), the function is calling_transferOutAndCallV5
in a loop.Then, it calls the target with the
msg.value
sent to the BATCH function instead of individually split it, a malicious user can trick the function by calling the batch function with multipleTransferOutAndCallData
andmsg.value
and will actually get the contract ETH and could ultimately drain it.The issue is that the msg.value received in
batchTransferOutAndCallV5
is global and not mapped to a single transfer in the loop, the value sent is therefore incorrect. It's not recommended to use msg.value in a loop.See the POC below.
A couple of
TransferOutAndCallData
are instantiated. ThefromAsset
is address(0). The target for both isalice
.At the beginning,
alice
has 1 ether. She calls the function with a value of 1 ether but ends up with 2 ethers.What happens behind the scene is actually the same
msg.value
is used twice in the function to call the target, and so the final balance will be 2 ethers.Impact
The integrity of the protocol is compromised.
POC
Recommended Mitigation
Here could be ways to handle this:
The function
_transferOutAndCallV5
should use thefromAmount
and notmsg.value
.The sum of fromAmount should be == to the
msg.value
passed to thebatchTransferOutAndCallV5
function, and the_transferOutAndCallV5
function should use thefromAmount
instead of themsg.value
Logs with the same test and the new logic in place:
Assessed type
ETH-Transfer