Short-term loss of funds if owner recovers ERC-20, otherwise permanent loss of funds if owner can't recover
Description
While sending ERC-20 from AlephZero to ETH: during receiveRequest() (if the signature count is sufficient) the ERC-20 transfer can fail but the transaction is not reverted: the requestHash is marked as processed and deleted from pendingRequests. This means these funds will be stuck in the contract and can only be recovered by the owner via recoverERC20().
Blacklisted tokens: It's worth to note that tokens with blacklist (USDT / USDC) are not supported by the current implementation. Sending to a blacklisted address is one instance where an ERC-20 transfer can fail.
Either revert the transaction when tokenTransferReturnSuccess returns false or immediately send back the token to the original sender on AlephZero via sendRequest().
Out of scope section: "Loss/freezing of funds caused by user error: for example sending tokens to addresses that cannot receive funds/user has no access for."
Github username: @0xfuje Twitter username: 0xfuje Submission hash (on-chain): 0x0cc5d64fcb1309e8ea2a654336ebcb870e364cc55ea00ec7eed9ab765aec8c5b Severity: low
Description:
Impact
Short-term loss of funds if owner recovers ERC-20, otherwise permanent loss of funds if owner can't recover
Description
While sending ERC-20 from AlephZero to ETH: during
receiveRequest()
(if the signature count is sufficient) the ERC-20 transfer can fail but the transaction is not reverted: therequestHash
is marked as processed and deleted frompendingRequests
. This means these funds will be stuck in the contract and can only be recovered by the owner viarecoverERC20()
.Blacklisted tokens: It's worth to note that tokens with blacklist (USDT / USDC) are not supported by the current implementation. Sending to a blacklisted address is one instance where an ERC-20 transfer can fail.
Most.sol
-receiveRequest()
Recommendation
Either revert the transaction when
tokenTransferReturnSuccess
returns false or immediately send back the token to the original sender on AlephZero viasendRequest()
.