Platform: Code4rena
Start Date: 29/07/2022
Pot Size: $50,000 USDC
Total HM: 6
Participants: 75
Period: 5 days
Judge: GalloDaSballo
Total Solo HM: 3
Id: 149
League: ETH
Rank: 53/75
Findings: 1
Award: $56.32
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: oyc_109
Also found by: 0x1f8b, 0x52, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, IllIllI, JC, Lambda, Noah3o6, NoamYakov, RedOneN, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Twpony, Waze, Yiko, __141345__, ajtra, apostle0x01, ashiq0x01, asutorufos, bardamu, benbaessler, berndartmueller, bharg4v, bulej93, c3phas, cccz, ch13fd357r0y3r, codexploder, cryptonue, cryptphi, defsec, djxploit, durianSausage, fatherOfBlocks, gogo, hansfriese, horsefacts, ignacio, kyteg, lucacez, mics, rbserver, robee, sashik_eth, simon135, sseefried, tofunmi, xiaoming90
56.3243 USDC - $56.32
In the XC20Wrapper contract, if axelarToken is TokenType.External and is a fee-on-transfer token, the amount of tokens received by the contract in the wrap function will be less than amount, but the amount of wrappedToken minted for the user is amount. The user can drain the axelarToken in the contract by constantly calling the wrap and unwrap functions
None
Consider getting the received amount by calculating the difference of token balance (using balanceOf) before and after the transferFrom.
#0 - Foivos
2022-08-04T14:41:57Z
xc20Wrapper in only meant to be used with non-External tokens. External tokens already exist on moonbeam and they should figure out their own way to go to the rest of Polkadot.
#1 - re1ro
2022-08-05T08:54:32Z
Duplicate of #16
#2 - GalloDaSballo
2022-09-05T00:38:50Z
The warden has shown that the contract for wrapping will not check for the change in balance for the token after the transfer, this will cause issues with both rebasing and feeOnTransfer tokens.
The system requires the owner to addWrapping meaning that the issue could happen only if the token is feeOnTransfer and the Owner decided to allow that token to be wrappable.
The total loss will amount to the cost of the fees, specifically the last few to call unwrap will not be able to receive any token (as all tokens will have already been claimed)
Given that the max loss is some balances, but it is contingent on the admin allowing those tokens, and the token itself being feeOnTransfer, I think Low Severity to be more appropriate.
I recommend end users to check if any token will have fees and recommend the sponsor to either refactor or simply never enable such a token