search

hats-finance / Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4

Other
1 stars 3 forks source link

Acknowledgement processing can be `return bombed` due to use of `address.send` leading to loss of funds #70

Open hats-bug-reporter[bot] opened 5 months ago

hats-bug-reporter[bot] commented 5 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xf02c0b7844e9d7a3abbeb774c75a730330692d61cd56b91c1ada9f7f49027e30 Severity: high

Description: Description\ The IncentivizedMessageEscrow._handleAck function performs Solidity's send call to transfer native tokens.

        if(!payable(refundGasTo).send(refund)) {
            payable(SEND_LOST_GAS_TO).transfer(refund); 
        }

https://github.com/catalystdao/GeneralisedIncentives/blob/main/src/IncentivizedMessageEscrow.sol#L437-L439

Even though the send call only forwards 2300 gas still it is susceptible to return-data-bomb attack, i.e, the recipient can return a huge amount of data which will be copied to memory of _handleAck call. This happens by default. This large amount of returned data can cause the _handleAck call to revert due to block gas limit.

Hence the acknowledgement cannot be processed, all attempts of calling IncentivizedMessageEscrow.processPacket will get reverted.

This can lead to huge amount of losses for protocol.

Attack Scenario

  1. Attacker calls Vault.sendAssets with refundGasTo set to a malicious contract address. The tokens deposited by attacker gets added to escrowed amount in vault.
  2. Relayers submit IncentivizedMessageEscrow.processPacket call on destination chain. Attacker receives funds on destination chain.
  3. Relayers call IncentivizedMessageEscrow.processPacket to submit acknowledgement on source chain, the function tries to call send on malicious refundGasTo address.
  4. The refundGasTo performs the return data bomb and the processPacket (ack) call gets reverted.
  5. Attacker's deposited amount remains in the escrowed accounting, processPacket cannot be executed. Further recoverAck cannot be executed due to this statement.

The escrowed tokens are lost forever.

The attack can be performed by any of the recipients of the send call.

Attachments

  1. Proof of Concept (PoC) File Provided above

  2. Revised Code File (Optional) Consider using assembly for transferring funds to refundGasTo address.

reednaa commented 5 months ago

Dude, solidity...

We sadly need a PoC for this. You can use our return bomber contact to create a PoC: https://github.com/catalystdao/GeneralisedIncentives/blob/main/test/mocks/ReturnBomber.sol

The reason why I need a PoC is because I don't think it is that bad. You can't do a lot of damage in 2300 gas.