Platform: Code4rena
Start Date: 07/10/2022
Pot Size: $50,000 USDC
Total HM: 4
Participants: 62
Period: 5 days
Judge: 0xean
Total Solo HM: 2
Id: 169
League: ETH
Rank: 27/62
Findings: 1
Award: $50.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0x1f8b, 0x4non, 0xNazgul, Bnke0x0, Chom, IllIllI, Josiah, Rahoz, RaymondFam, Trust, Waze, ajtra, bobirichman, brgltd, bulej93, c3phas, cccz, chrisdior4, delfin454000, fatherOfBlocks, gogo, ladboy233, mcwildy, mics, nicobevi, oyc_109, rbserver, rotcivegaf, zzzitron
50.2765 USDC - $50.28
GRT may be locked in the destination contract forever if the user or external developers bridge it to a contract that requires onTokenTransfer without sending data.
Since users or external developers may not understand GRT bridging correctly. They may bridge to a contract in the destination chain that requires onTokenTransfer in the hope that it will be executed.
require( extraData.length == 0 || callhookWhitelist[msg.sender] == true, "CALL_HOOK_DATA_NOT_ALLOWED" );
Users or external developers can't send callhook but can bridge GRT to a contract on the destination chain that requires onTokenTransfer. These contract may not contains any logic to handle fund sending without calling onTokenTransfer.
Add another whitelist to disallow users or external developers to send fund to these contracts
require( (extraData.length == 0 && !destinationBlacklisted[_to]) || callhookWhitelist[msg.sender] == true, "CALL_HOOK_DATA_NOT_ALLOWED" );
#0 - 0xean
2022-10-15T22:33:20Z
The expectation of maintaining a black list is not reasonable here. This really boils down to a developer (an advanced user) attempting to send tokens in a way they don't understand. Seems very similar to a user sending tokens to contract incorrectly on the same chain and them becoming trapped. Downgrading to QA