search

code-423n4 / 2024-06-thorchain-findings

6 stars 3 forks source link

`transferOutAndCallV5` and `batchTransferOutAndCallV5` emit the `TransferOutAndCallV5` event, which is not handled in Bifrost #93

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-06-thorchain/blob/e5ae503d0dc2394a82242be6860eb538345152a1/ethereum/contracts/THORChain_Router.sol#L304-L389 https://github.com/code-423n4/2024-06-thorchain/blob/e5ae503d0dc2394a82242be6860eb538345152a1/ethereum/contracts/THORChain_Router.sol#L391-L395 https://github.com/code-423n4/2024-06-thorchain/blob/e5ae503d0dc2394a82242be6860eb538345152a1/ethereum/contracts/THORChain_Router.sol#L397-L403 https://github.com/code-423n4/2024-06-thorchain/blob/e5ae503d0dc2394a82242be6860eb538345152a1/bifrost/pkg/chainclients/shared/evm/smartcontract_log_parser.go#L166-L343

Vulnerability details

Impact

Unlike the transferOutAndCall functions, which emit the TransferOutAndCall event, The transferOutAndCallV5 and batchTransferOutAndCallV5 functions emit the TransferOutAndCallV5 event.

However, the TransferOutAndCallV5 event is not handled in the GetTxInItem function of the smartcontract_log_parser.go file (there's no case to handle it in the switch statement). As a result, when a THORChain vault uses the transferOutAndCallV5 or batchTransferOutAndCallV5 function, it spend its allowance in the Router without the THORChain network acknowledging the outbound transfers.

Tools Used

Manual Review

Recommended Mitigation Steps

Emit TransferOutAndCall instead of TransferOutAndCallV5 in transferOutAndCallV5 and batchTransferOutAndCallV5

Assessed type

Other

c4-judge commented 3 months ago

trust1995 marked the issue as partial-50

c4-judge commented 3 months ago

trust1995 marked the issue as unsatisfactory: Out of scope