Axelar Network v2 contest - 0xf15ers's results

Decentralized interoperability network.

General Information

Platform: Code4rena

Start Date: 29/07/2022

Pot Size: $50,000 USDC

Total HM: 6

Participants: 75

Period: 5 days

Judge: GalloDaSballo

Total Solo HM: 3

Id: 149

League: ETH

Axelar Network

Findings Distribution

Researcher Performance

Rank: 59/75

Findings: 1

Award: $56.13

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Axelar Network

Findings Information

🌟 Selected for report: oyc_109

Also found by: 0x1f8b, 0x52, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, IllIllI, JC, Lambda, Noah3o6, NoamYakov, RedOneN, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Twpony, Waze, Yiko, __141345__, ajtra, apostle0x01, ashiq0x01, asutorufos, bardamu, benbaessler, berndartmueller, bharg4v, bulej93, c3phas, cccz, ch13fd357r0y3r, codexploder, cryptonue, cryptphi, defsec, djxploit, durianSausage, fatherOfBlocks, gogo, hansfriese, horsefacts, ignacio, kyteg, lucacez, mics, rbserver, robee, sashik_eth, simon135, sseefried, tofunmi, xiaoming90

Awards

56.1273 USDC - $56.13

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L86 https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L63

Vulnerability details

Impact

The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:
The claimer smart contract does not implement a payable function.
The claimer smart contract does implement a payable fallback which uses more than 2300 gas unit.
The claimer smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300.

Proof of Concept

function receiveAndUnwrapNative(address payable refundAddress, address payable recipient) external {
  .......................
    IWETH9(wrappedTokenAddress).withdraw(amount);
    recipient.transfer(amount);
    .........
  }

Tools Used

manual analysis

Recommended Mitigation Steps

Use call()

#0 - GalloDaSballo
2022-08-03T21:19:14Z

See #203

#1 - re1ro
2022-08-23T00:29:51Z

Duplicate of #4

Axelar Network v2 contest - 0xf15ers's results

Decentralized interoperability network.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-04] QA Report - $56.13

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - GalloDaSballo2022-08-03T21:19:14Z

#1 - re1ro2022-08-23T00:29:51Z

#0 - GalloDaSballo
2022-08-03T21:19:14Z

#1 - re1ro
2022-08-23T00:29:51Z