No way to recover funds from the failed bridge transaction.

Summary

Vulnerability Detail

If the bridge transaction fails and the recipient is unable to receive the tokens/ETH all funds will be lost.

For example, someone initiates a bridge transaction to bridge USDC from Avail to Ethereum.

On the Ethereum side, the receiveER20 function is used to process and prove that the bridge transaction is correct and should be processed.

function receiveERC20(Message calldata message, MerkleProofInput calldata input)
    external
    whenNotPaused
    onlySupportedDomain(message.originDomain, message.destinationDomain)
    onlyTokenTransfer(message.messageType)
    nonReentrant
{
    (bytes32 assetId, uint256 value) = abi.decode(message.data, (bytes32, uint256));
    address token = tokens[assetId];
    if (token == address(0)) {
        revert InvalidAssetId();
    }

    _checkBridgeLeaf(message, input);

    // downcast SCALE-encoded bytes to an Ethereum address
    address dest = address(bytes20(message.to));

    emit MessageReceived(message.from, dest, message.messageId);

    IERC20(token).safeTransfer(dest, value);
}

If the IERC20(token).safeTransfer(dest, value) fails the transaction will revert and the funds will be lost. It can fail if the receiving address is on a blacklist. Or when transferring ETH it can fail if the smart contract doesn't support receiving ether.

Impact

All funds can be lost while bridging.

Code Snippet

https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L239-L263

https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L271-L292

Tool used

Manual Review

Recommendation

In case of a failure add a mechanism where the bridge tx initiator can claim their tokens back.

sherlock-audit / 2023-12-avail-judging

evmboi32 - No way to recover funds from the failed bridge transaction. #104

No way to recover funds from the failed bridge transaction.

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation