search

sherlock-audit / 2023-12-avail-judging

4 stars 4 forks source link

jasonxiale - assets might be stuck in the AvailBridge #122

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

jasonxiale

medium

assets might be stuck in the AvailBridge

Summary

assets might be stuck in the AvailBridge.sol

Vulnerability Detail

In AvailBridge.sol, the contract doesn't record the amount of ETH/ERC20 should be crossed, if the dest chain fails to receive ETH/ERC20, the ETH/ERC20 transferred in the src chain will be lost.

Impact

In AvailBridge.sol, while transfer ETH/ERC20 to dest, if the dest can't handle the ETH/ERC20, the ETH/ERC20 will be stucked.

Code Snippet

I will take AvailBridge.receiveETH as an example to demonstrate, ERC20 has the same issue. https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L238-L263

In above code, while the contract fails to transfer ETH, the function will emit a event

But in the event, there is no information about the amount of ETH being sent.

On the other hand, when looking into AvailBridge.sendETH: https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L355-L374 The contract doesn't record the amount of ETH be sent too

So if dest fails to receive ETH, the protocol doesn't know the amount of the ETH to refund to the msg.sender even he wants.

Tool used

Manual Review

Recommendation

sherlock-admin commented 8 months ago

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Invalid. We have a check at the end

takarez commented:

invalid because {invalid: no clear impact mentioned}