Silly Amber Shell - Excess fees refunded by endpoint will be stuck in `SolConnector` as it has no function to transfer them out

[sherlock-admin3]

Silly Amber Shell

Medium

Excess fees refunded by endpoint will be stuck in SolConnector as it has no function to transfer them out

Summary

Excess fees refunded by endpoint will be stuck in SolConnector as it has no function to transfer them out

OappSenderUpgradeable::_quote gives an estimate of the fees to sucessfully transmit a message from the src chain to the dst chain. If there is an excess of fees once finally executed, the excess is refunded to the _refundAddress which is configured as address(this).

Root Cause

• _lzSend with _refundAddress is address(this): link
• _lzSend implementation showing fees will be refunded: link
• _quote is an estimate

Internal pre-conditions

• SolConnector send the quoted _msgFee

External pre-conditions

• Fees ar lower than expected and excess is refunded

Attack Path

• Caller of SolConnector::withdraw uses the LayerZero quote function to estimate the _msgFee
• The fees are over-estimated and the excess is refunded to address(this)
• As there is no function to recover the fees, fees are stuck

Impact

• Fees stuck in contract

PoC

No response

Mitigation

Add a mechanism to be able to withdraw the fees