Platform: Code4rena
Start Date: 29/07/2022
Pot Size: $50,000 USDC
Total HM: 6
Participants: 75
Period: 5 days
Judge: GalloDaSballo
Total Solo HM: 3
Id: 149
League: ETH
Rank: 8/75
Findings: 2
Award: $2,134.93
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-07-axelar/blob/main/xc20/contracts/XC20Wrapper.sol#L71 https://github.com/code-423n4/2022-07-axelar/blob/main/xc20/contracts/XC20Wrapper.sol#L124-L125
Whenever owner removes wrapping by calling removeWrapping() , it sets the wrapped[axelarToken] to 0. This would allow users to be able to call _executeWithToken() when the function is used in the future by calling a function that calls it (i.e if this function is really meant to be internal instead of external, but if it is really external function then can be called anytime)
The call in _executeWithToken() sets variable xc20 to wrapped[tokenAddress] which exists as address(0) after removeWrapping() call by owner. xc20 will pass the if-statement and then proceed to transfer tokens to receiver.
Manual review
The mapping for the removed wrapping should be deleted instead of set to address 0.
#0 - re1ro
2022-08-05T05:53:01Z
Duplicate of #23
#1 - GalloDaSballo
2022-09-04T19:09:41Z
Dup of #23
While the conclusion of how the tokens can be sweeped is different, the root cause is Admin Privilege can remove wrapping when wrappedBalance > 0
🌟 Selected for report: oyc_109
Also found by: 0x1f8b, 0x52, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, IllIllI, JC, Lambda, Noah3o6, NoamYakov, RedOneN, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Twpony, Waze, Yiko, __141345__, ajtra, apostle0x01, ashiq0x01, asutorufos, bardamu, benbaessler, berndartmueller, bharg4v, bulej93, c3phas, cccz, ch13fd357r0y3r, codexploder, cryptonue, cryptphi, defsec, djxploit, durianSausage, fatherOfBlocks, gogo, hansfriese, horsefacts, ignacio, kyteg, lucacez, mics, rbserver, robee, sashik_eth, simon135, sseefried, tofunmi, xiaoming90
56.1273 USDC - $56.13
**Occurrences in: https://github.com/code-423n4/2022-07-axelar/blob/main/xc20/contracts/XC20Wrapper.sol https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/AxelarDepositService.sol https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/gas-service/AxelarGasService.sol
**Occurrences in: https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/ReceiverImplementation.sol#L23 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/ReceiverImplementation.sol#L51 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/gas-service/AxelarGasService.sol#L128 would affect AxelarDepositService.refundNativeUnwrap() - > ReceiverImplementation.receiveAndUnwrapNative() - > recipient.transfer(receiver) AxelarDepositService.nativeUnwrap - > ReceiverImplementation.receiveAndUnwrapNative() - > recipient.transfer(receiver)
**Occurrences in: AxelarDepositService.refundNativeUnwrap() - > ReceiverImplementation.receiveAndUnwrapNative() - > recipient.transfer(receiver)
AxelarDepositService.nativeUnwrap - > ReceiverImplementation.receiveAndUnwrapNative() - > recipient.transfer(receiver)
AxelarDepositService.sendNative() - destinationAddress parameter
refundAddress param in the following functions: AxelarDepositService.refundTokenDeposit() AxelarDepositService.sendNativeDeposit() AxelarDepositService.refundNativeDeposit() AxelarDepositService.nativeUnwrap() AxelarDepositService.
#0 - re1ro
2022-08-05T07:12:11Z
Not applicable. Those contracts are not meant to receive ether directly.
Not applicable. Those are native ether transfers
Dup #3
#1 - GalloDaSballo
2022-08-31T21:01:53Z
Valid Low
Rest is invalid, payable.transfer doesn't need to be checked