Back to 0xkazim's contests

Axelar Network - 0xkazim's results

Decentralized interoperability network.

General Information

Platform: Code4rena

Start Date: 12/07/2023

Pot Size: $80,000 USDC

Total HM: 11

Participants: 47

Period: 9 days

Judge: berndartmueller

Total Solo HM: 1

Id: 260

League: ETH

Axelar Network

Findings Distribution

Researcher Performance

Rank: 28/47

Findings: 1

Award: $94.77

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAxelar Network

Findings Information

🌟 Selected for report: Jeiwan

Also found by: 0xkazim, Emmanuel, KrisApostolov, T1MOH, Toshii, UniversalCrypto, Viktor_Cortess, immeas, libratus, nobody2018, qpzm

Labels

bug
2 (Med Risk)
satisfactory
duplicate-319

Awards

94.7708 USDC - $94.77

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/cgp/governance/InterchainGovernance.sol#L87-L103 https://github.com/axelarnetwork/axelar-gmp-sdk-solidity/blob/b062627673a86d4497d59fdaddf54c07578e3bf9/contracts/executable/AxelarExecutable.sol#L17-L29

Vulnerability details

Impact

the function _execute need to set to payable because it handle/work with the native tokens and it should be set to payable. this function is internal and is called in the execute function in the AxelarExecutable.sol which is not payable too.

note // the AxelarExecutable.sol is out of scope but we talk about the _executefunction which is in the scope

Proof of Concept

the _execute function using native token when it call the process command to create a proposal

function _execute(
    string calldata sourceChain,
    string calldata sourceAddress,
    bytes calldata payload
) internal override {
    //@audit add payable
    if (keccak256(bytes(sourceChain)) != governanceChainHash || keccak256(bytes(sourceAddress)) != governanceAddressHash)
        revert NotGovernance();

    (uint256 command, address target, bytes memory callData, uint256 nativeValue, uint256 eta) = abi.decode(
        payload,
        (uint256, address, bytes, uint256, uint256)
    );

    if (target == address(0)) revert InvalidTarget();

    _processCommand(command, target, callData, nativeValue, eta);
}

the execute function which calling the function above is not payable too(out of the scope)

function execute(
    bytes32 commandId,
    string calldata sourceChain,
    string calldata sourceAddress,
    bytes calldata payload
) external {
    bytes32 payloadHash = keccak256(payload);

    if (!gateway.validateContractCall(commandId, sourceChain, sourceAddress, payloadHash)) revert NotApprovedByGateway();

    _execute(sourceChain, sourceAddress, payload);
}

the payable should be set to _execute function if it use native tokens.

Tools Used

manual review

add payable to the function _execute

Assessed type

Payable

#0 - c4-pre-sort

2023-07-29T00:04:16Z

0xSorryNotSorry marked the issue as duplicate of #319

#1 - c4-judge

2023-09-08T10:59:20Z

berndartmueller marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter