Platform: Code4rena
Start Date: 07/04/2022
Pot Size: $50,000 USDC
Total HM: 5
Participants: 19
Period: 5 days
Judge: 0xean
Total Solo HM: 4
Id: 109
League: COSMOS
Rank: 12/19
Findings: 1
Award: $199.35
π Selected for report: 0
π Solo Findings: 0
π Selected for report: IllIllI
Also found by: CertoraInc, Dravee, Funen, cccz, delfin454000, dirk_y, ilan, rayn, rishabh
199.3529 USDC - $199.35
https://github.com/code-423n4/2022-04-axelar/blob/main/src/DepositHandler.sol#L27
Anybody can call the destroy function and pass an address to destroy the smart Contract and get all the eth.
Manual
Use openzeppelin's ownable for critical functions.
#0 - deluca-mike
2022-04-13T20:41:59Z
While technically true, the DepositHandler never exists on chain outside of the transaction it is deployed in, since the gateway deploys it, calls execute one or more times, and then calls destroy. With the current gateway code, there is never a time when it exists outside of the gateway's runtime context. In any case, we will add a comment/not to the gateway and despot handler to make this clear for future readers/auditors.
#1 - 0xean
2022-04-23T16:59:57Z
Based on the current usage of the contracts the sponsor does seem to be correct about the lifecycle of the contract. I personally would error on the side of caution since external calls are being made during that lifecycle and there maybe a risk there. Without a demonstrable attack vector I am going to downgrade this to QA.
#2 - JeeberC4
2022-04-24T03:00:49Z
Generating QA Report as warden did not submit one and the judge downgraded. Preserving original title: Anybody can destroy contract and take all the ether