Closed sherlock-admin3 closed 3 months ago
Escalate
This report shows an issue that affects all ADO contracts. Payment transfers will succeed even when the required recipient transfers fail. The impact varies but in the case of Timelock ADO, it leads to a loss of funds because the escrow is removed even if the fund transfer failed. In the Rates module, some payments will need to pay for taxes or royalties. However, the taxes and royalties can fail but the transaction will still succeed.
The issue is in
generate_direct_msg()
andgenerate_msg_cw20()
which are functions in a file in-scopepackages/std/src/amp/recipient.rs
.
You've deleted an escalation for this issue.
You are right @Kallya! Thank you 🙏🏼
g
Medium
Payment transactions succeed even when recipient transfers fail
Summary
generate_msg_cw20()
andgenerate_direct_msg()
are Recipient messages that send payment to the recipient. However, the messages are fire-and-forget and do not fail the transaction which causes unintended consequences that will be described in the Impact section.Vulnerability Detail
All the resulting
SubMsg
s ofgenerate_msg_cw20()
andgenerate_direct_msg()
are created fromSubMsg::new()
.ref: https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/main/andromeda-core/packages/std/src/amp/recipient.rs#L48-L65
SubMsg::new()
creates fire-and-forget messages by settingreply_on
to never.generate_direct_msg()
andgenerate_msg_cw20()
are used in the following:ADOContract
's execution handler (all ADOs)Impact
The impact can vary depending on the contract. In Timelock ADO, when funds are released, the escrows of the released funds are removed even when the transfers to the fund recipients fail. This is because failure of fund recipient transfers will not revert the transaction.
Once escrows are removed, those funds are permanently lost and can no longer be claimed by the intended recipients.
Code Snippet
Tool used
Manual Review
Recommendation
Consider setting the
reply_on
fields toReplyOn::Always
for bothgenerate_direct_msg()
andgenerate_msg_cw20()
and only rely onadd_messages()
to set the messages to fire-and-forget.