Open sherlock-admin opened 1 year ago
payable eth amount to cover connext fees are stuck in the xchaincontroller when the funds are sent to the same chain as the xchaincontroller; correct but as we do the triggers ourselves we would never send any funds when doing the trigger to the homechain. Therefore not high but medium.
hyh
medium
Native funds sent with pushVaultAmounts and sendFundsToVault can be lost
Summary
XChainController's pushVaultAmounts() and sendFundsToVault() do not always use the native funds provided to cover the fees.
In the cases when the funds aren't used they are not returned, ending up frozen on the contract balance as no balance utilization is now implemented.
Vulnerability Detail
Native funds attached to the pushVaultAmounts() and sendFundsToVault() calls are frozen with XChainController when not used.
Impact
Caller's funds meant to cover x-chain transfers are permanently frozen on the XChainController balance when
getVaultChainIdOff(_vaultNumber, _chain)
.Code Snippet
pushVaultAmounts() doesn't call sendXChainAmount() and use funds if
getVaultChainIdOff(_vaultNumber, _chain)
:https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XChainController.sol#L295-L324
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XChainController.sol#L368-L401
sendFundsToVault() similarly do not use funds when
getVaultChainIdOff(_vaultNumber, _chain)
:https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XChainController.sol#L409-L441
Tool used
Manual Review
Recommendation
Consider returning the funds to the caller in both cases.