Back to cccz's contests

Axelar Network contest - cccz's results

Decentralized interoperability network.

General Information

Platform: Code4rena

Start Date: 07/04/2022

Pot Size: $50,000 USDC

Total HM: 5

Participants: 19

Period: 5 days

Judge: 0xean

Total Solo HM: 4

Id: 109

League: COSMOS

Axelar Network

Findings Distribution

Researcher Performance

Rank: 5/19

Findings: 2

Award: $6,332.02

🌟 Selected for report: 1

🚀 Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAxelar Network

Findings Information

🌟 Selected for report: cccz

Labels

bug
2 (Med Risk)
sponsor confirmed

Awards

6071.4286 USDC - $6,071.43

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-axelar/blob/main/src/AxelarGateway.sol#L284-L334

Vulnerability details

Impact

When tokenAddress is fee-on-transfer tokens, in the _burnTokenFrom function, the actual amount of tokens received by the contract will be less than the amount.

Proof of Concept

https://github.com/code-423n4/2022-04-axelar/blob/main/src/AxelarGateway.sol#L284-L334

Tools Used

None

Consider getting the received amount by calculating the difference of token balance (using balanceOf) before and after the transferFrom.

#0 - deluca-mike

2022-04-13T20:49:05Z

Valid for TokenType.External, since it is a token implementation that is not ours, and thus could actually transfer us less than expected due to fees.

Keep in mind that, in the case of a malicious token contract, it could also lie about the balanceOf.

In any case, if and when we wanted to accept fee-on-transfer tokens in the gateway, we might need to implement the recommended mitigation steps; however, it is not that simple because the is not link (on-chain) here that ensure the amount the gateway burns to be equal to the amount the gateway/validators mint elsewhere. Knowing the actual amount burned is not critical to the source gateway, but rather to the validators that will need to create the mint command elsewhere.

Findings Information

🌟 Selected for report: IllIllI

Also found by: CertoraInc, Dravee, Funen, cccz, delfin454000, dirk_y, ilan, rayn, rishabh

Labels

bug
QA (Quality Assurance)
sponsor disputed

Awards

260.5853 USDC - $260.59

External Links

Link to GitHub issue

Low

data length is not checked before abi.decode

Impact

Data length is not checked before using abi.decode on data in _deployToken function,it will fail when the data length is less than 32.

Proof of Concept

https://github.com/code-423n4/2022-04-axelar/blob/main/src/AxelarGateway.sol#L356

Tools Used

None

Add length check for data

Anyone can call the DepositHandler contract to execute arbitrary methods and destroy the contract.

Impact

Anyone can call the DepositHandler contract to execute arbitrary methods and destroy the contract.

Proof of Concept

https://github.com/code-423n4/2022-04-axelar/blob/main/src/DepositHandler.sol

Tools Used

None

Consider adding access controls

#0 - deluca-mike

2022-04-13T23:58:13Z

data length is not checked before abi.decode

This is fine as an invalid response from the TokenDeployer will rightfully result in a revert.

Anyone can call the DepositHandler contract to execute arbitrary methods and destroy the contract.

Disputed, see #3.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter