search

sherlock-audit / 2023-06-tokensoft-judging

4 stars 4 forks source link

AkshaySrivastav - `CrosschainDistributor` incorrectly assumes that domain of destination chains will never be 0 #215

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

AkshaySrivastav

high

CrosschainDistributor incorrectly assumes that domain of destination chains will never be 0

Summary

CrosschainDistributor incorrectly assumes that the domain of destination chains will never be 0. This assumption is incorrect and over-optimistic which can lead incorrect token distribution.

Vulnerability Detail

The CrosschainDistributor._settleClaim function looks like this:

  function _settleClaim(
    address _beneficiary,
    address _recipient,
    uint32 _recipientDomain,
    uint256 _amount
  ) internal virtual {
    bytes32 id;
    if (_recipientDomain == 0 || _recipientDomain == domain) {
      token.safeTransfer(_recipient, _amount);
    } else {
      ...
    }
    emit CrosschainClaim(id, _beneficiary, _recipient, _recipientDomain, _amount);
  }

It can be seen that if the _recipientDomain is 0 then the tokens are transferred on the same chain, i.e., cross chain token transfer is not triggered.

The domain of a destination chain in Connext network is independent of chain id and can be arbitrary. The connext protocol never assures that the domain of a chain will never be zero.

Consider this scenario:

  1. A new chain gets supported by Connext whose domain is 0.
  2. A smart contract wallet is set to receive airdrop tokens on the new chain. The Distributor contract is present on a different chain.
  3. _settleClaim is invoked for the recipient.
  4. As the domain of destination chain is 0 the tokens will be incorrectly distributed on the same chain as the DIstributor contract.

In this scenario, the airdrop tokens were transferred to a different chain that intended for a smart contract recipient. Note that, this is an outcome which the protocol always wanted to prevent as stated here because contracts do not share same addresses over different chains.

Impact

In the above demonstrated scenario, the tokens were distributed to a different chain than intended for a smart contract.

Code Snippet

https://github.com/sherlock-audit/2023-06-tokensoft/blob/main/contracts/contracts/claim/abstract/CrosschainDistributor.sol#L68C1-L89C4

Tool used

Manual Review

Recommendation

Consider removing the _recipientDomain == 0 condition