sherlock-audit / 2024-02-telcoin-platform-audit-update-judging

3 stars 1 forks source link

Ironsidesec - Bridged tokens cannot be handled on the child chain #63

Closed sherlock-admin4 closed 8 months ago

sherlock-admin4 commented 8 months ago

Ironsidesec

high

Bridged tokens cannot be handled on the child chain

Summary

The tokens or Ether bridged to Polygon POS chain are lost due to the lack of the handling because the bridge to user address on polygon is same as mainnet bridge relay contract which cant transfer tokens or some EOA which can be owned by someone.

Vulnerability Detail

    function transferERCToBridge(IERC20 token) internal {
        //zero out approvals
        token.forceApprove(PREDICATE_ADDRESS, 0); 
        // increase approval to necessary amount
        token.safeIncreaseAllowance(
            PREDICATE_ADDRESS,
            token.balanceOf(address(this))
        );

        POS_BRIDGE.depositFor(
>>>         address(this), 
            address(token),
            abi.encodePacked(token.balanceOf(address(this)))
        );
    }

Using Bridge relay contract, anyone can call transferERCToBridge and the balance of the contract will be bridged and transfered to the same contract address on Polygon, because the user param is using address(this) as shown above. So, to handle the bridged tokens on child chain (polygon), the user address should either be a contract / EOA / safe wallet,

Team says that discord proof interacting with the bridge and transfering tokens is essentially the soul purpse of the contract. The reason we use address(this) is because the tokens have been deposited on that address on the mainnet and we need them at that same address on polygon

So, contract ahs to be same address on both chains, but Bridge relay contract lacks token transfer actions.

Now look at the below possiblilities

  1. Deploying this Bridge relay on both chains by same owner with same nonce can yield same contract address, but Bridge relay contract lacks token handling - no tokens can be transfered out.
  2. The possiblities of that address being EOA is high, but no one can know the private key.
  3. The address being a safe wallet is low probability and the Telcoin team being owners is not possible.

So, the main issue is, the tokens bridged are lost forever. Look at the recommendation section

Impact

The tokens bridged from Ethereum to Polygon cannot be transferred or handled by user/owner.

Code Snippet

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/21920190e0772afa18e7f856a036fea3ef5b9635/telcoin-contracts/contracts/bridge/BridgeRelay.sol#L67-L81

Tool used

Manual Review

Recommendation

Modify BridgeRelay contract to handle transferring tokens with access control

sherlock-admin4 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

sounds vague and team actually confirmed they did it on purpose; since issue is based on just assumption on who controls that address on Polygon is not enough