lzReceive function inside TOFT, mTOFT and USDO contracts can be used to airdrop tokens to the contract. These tokens can be stolen by anyone.
Vulnerability Detail
Cross-chain receiving logic inside TOFT, mTOFT and USDO is split between lzReceive and lzCompose functions.
lzReceive handles the crediting of tokens and invoking the lzEndpoint.sendCompose so the rest of the cross-chain flow can be executed inside the lzCompose function.
lzCompose in the context of the above-mentioned contracts handles many flows, some of which require the user to airdrop a certain amount of tokens so a specific action can be executed.
An example is withdrawing assets to another chain.
Invalid; Airdropped tokens are supposedly used in the same flow for various operations. Also airdropping tokens randomly it's an act done by a user wrongly using the protocol
GiuseppeDeLaZara
medium
Airdopped tokens can be stolen by anyone
Summary
lzReceive
function insideTOFT
,mTOFT
andUSDO
contracts can be used to airdrop tokens to the contract. These tokens can be stolen by anyone.Vulnerability Detail
Cross-chain receiving logic inside
TOFT
,mTOFT
andUSDO
is split betweenlzReceive
andlzCompose
functions.lzReceive
handles the crediting of tokens and invoking thelzEndpoint.sendCompose
so the rest of the cross-chain flow can be executed inside thelzCompose
function.lzCompose
in the context of the above-mentioned contracts handles many flows, some of which require the user to airdrop a certain amount of tokens so a specific action can be executed. An example is withdrawing assets to another chain.If we check the LayerZero option types it is only possible to airdrop tokens as part of the
lzReceive
and not thelzCompose
function call: https://docs.layerzero.network/contracts/options#lzcompose-optionThis means that the airdropped tokens will be sitting in the
TOFT
contract for example in between the two calls.This is a problem as some other user can directly use these gas tokens to pay for his LayerZero fees, effectively stealing the airdropped tokens.
Impact
Any airdropped tokens as part of the
lzReceive
function call can be stolen by anyone.Code Snippet
Tool used
Manual Review
Recommendation
Disallow airdropping tokens as part of the
lzReceive
function call. This can be done by checking the_extraOptions
passed to thesendPacket
function.