search

code-423n4 / 2024-06-thorchain-findings

6 stars 3 forks source link

Wrong address will receive msg.value when call failed #67

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-06-thorchain/blob/main/chain/ethereum/contracts/THORChain_Router.sol#L324

Vulnerability details

Impact

eth is transferred to wrong address

Proof of Concept

when aggregator fails to execute swapOutV5 when _transferOutAndCallV5 function is called

it should be recipient that receives the the msg.value

but now eth is sent to the aggregator

bool sendSuccess = payable(aggregationPayload.target).send(msg.value);

Tools Used

Nothing

Recommended Mitigation Steps

+       bool sendSuccess = payable(aggregationPayload.recipient).send(msg.value);

Assessed type

Other

c4-judge commented 4 months ago

trust1995 marked the issue as unsatisfactory: Invalid

c4-judge commented 4 months ago

trust1995 marked the issue as unsatisfactory: Out of scope