Platform: Code4rena
Start Date: 29/07/2022
Pot Size: $50,000 USDC
Total HM: 6
Participants: 75
Period: 5 days
Judge: GalloDaSballo
Total Solo HM: 3
Id: 149
League: ETH
Rank: 20/75
Findings: 2
Award: $110.89
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: oyc_109
Also found by: 0x1f8b, 0x52, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, IllIllI, JC, Lambda, Noah3o6, NoamYakov, RedOneN, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Twpony, Waze, Yiko, __141345__, ajtra, apostle0x01, ashiq0x01, asutorufos, bardamu, benbaessler, berndartmueller, bharg4v, bulej93, c3phas, cccz, ch13fd357r0y3r, codexploder, cryptonue, cryptphi, defsec, djxploit, durianSausage, fatherOfBlocks, gogo, hansfriese, horsefacts, ignacio, kyteg, lucacez, mics, rbserver, robee, sashik_eth, simon135, sseefried, tofunmi, xiaoming90
79.0098 USDC - $79.01
Some fee parameters of functions are not checked for invalid values. Validate the parameters:
AxelarGasService.payGasForContractCallWithToken (gasFeeAmount) AxelarGasService.payGasForContractCall (gasFeeAmount) AxelarGasService.addGas (gasFeeAmount)
You use safeApprove of openZeppelin although it's deprecated. (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38) You should change it to increase/decrease Allowance as OpenZeppilin says.
Deprecated safeApprove in AxelarDepositService.sol line 29: IERC20(wrappedTokenAddress).approve(gateway, amount); Deprecated safeApprove in ReceiverImplementation.sol line 63: IERC20(wrappedTokenAddress).approve(gateway, amount); Deprecated safeApprove in AxelarGateway.sol line 306: commandSelector = AxelarGateway.approveContractCallWithMint.selector; Deprecated safeApprove in AxelarGateway.sol line 304: commandSelector = AxelarGateway.approveContractCall.selector; Deprecated safeApprove in ReceiverImplementation.sol line 37: IERC20(tokenAddress).approve(gateway, amount);
external / public functions parameters should be validated to make sure the address is not 0. Otherwise if not given the right input it can mistakenly lead to loss of user funds.
ReceiverImplementation.sol.receiveAndUnwrapNative refundAddress ERC20Permit.sol.permit issuer AxelarDepositService.sol.refundTokenDeposit refundAddress
The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.
owner param should be validated to make sure the owner address is not address(0). Otherwise if not given the right input all only owner accessible functions will be unaccessible.
XC20Sample.sol.transfer_ownership owner_ Proxy.sol.init newOwner
Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing. Furthermore, removing either the actual return or the named return will save gas.
ECDSA.sol, recover
The following contracts have a function that allows them an admin to change it to a different address. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked. It is important to have two steps admin change where the first is announcing a pending new admin and the new address should then claim its ownership. A similar issue was reported in a previous contest and was assigned a severity of medium: code-423n4/2021-06-realitycards-findings#105
IOwnable.sol XC20Sample.sol Upgradable.sol Ownable.sol AdminMultisigBase.sol LocalAsset.sol
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
IAxelarForecallable.sol: function _checkForecallWithToken parameter sourceChain isn't used. (_checkForecallWithToken is internal) IAxelarForecallable.sol: function _checkForecallWithToken parameter tokenSymbol isn't used. (_checkForecallWithToken is internal) TokenDeployer.sol: function deployToken parameter symbol isn't used. (deployToken is external) Upgradable.sol: function _setup parameter data isn't used. (_setup is internal) Proxy.sol: function setup parameter data isn't used. (setup is public) AxelarDepositService.sol: function refundTokenDeposit parameter salt isn't used. (refundTokenDeposit is external) IAxelarForecallable.sol: function _executeWithToken parameter tokenSymbol isn't used. (_executeWithToken is internal) AxelarDepositService.sol: function refundNativeUnwrap parameter salt isn't used. (refundNativeUnwrap is external) IAxelarExecutable.sol: function _executeWithToken parameter sourceAddress isn't used. (_executeWithToken is internal) IAxelarForecallable.sol: function _checkForecallWithToken parameter sourceAddress isn't used. (_checkForecallWithToken is internal) AxelarDepositService.sol: function nativeUnwrap parameter salt isn't used. (nativeUnwrap is external) IAxelarForecallable.sol: function _checkForecall parameter sourceAddress isn't used. (_checkForecall is internal) IAxelarExecutable.sol: function _executeWithToken parameter tokenSymbol isn't used. (_executeWithToken is internal) IAxelarExecutable.sol: function _execute parameter sourceChain isn't used. (_execute is internal) IAxelarForecallable.sol: function _execute parameter sourceAddress isn't used. (_execute is internal) TokenDeployer.sol: function deployToken parameter name isn't used. (deployToken is external) IAxelarForecallable.sol: function _executeWithToken parameter sourceAddress isn't used. (_executeWithToken is internal) IAxelarForecallable.sol: function _executeWithToken parameter amount isn't used. (_executeWithToken is internal) AxelarDepositService.sol: function sendNativeDeposit parameter salt isn't used. (sendNativeDeposit is external) IAxelarForecallable.sol: function _checkForecallWithToken parameter amount isn't used. (_checkForecallWithToken is internal) TokenDeployer.sol: function deployToken parameter cap isn't used. (deployToken is external) IAxelarForecallable.sol: function _checkForecall parameter forecaller isn't used. (_checkForecall is internal) IAxelarForecallable.sol: function _checkForecall parameter payload isn't used. (_checkForecall is internal) AxelarGatewayProxy.sol: function setup parameter params isn't used. (setup is external) TokenDeployer.sol: function deployToken parameter salt isn't used. (deployToken is external) ERC20.sol: function _beforeTokenTransfer parameter from isn't used. (_beforeTokenTransfer is internal) IAxelarForecallable.sol: function _checkForecallWithToken parameter payload isn't used. (_checkForecallWithToken is internal) IAxelarForecallable.sol: function _execute parameter sourceChain isn't used. (_execute is internal) IAxelarExecutable.sol: function _executeWithToken parameter amount isn't used. (_executeWithToken is internal) IAxelarExecutable.sol: function _execute parameter sourceAddress isn't used. (_execute is internal) ERC20.sol: function _beforeTokenTransfer parameter amount isn't used. (_beforeTokenTransfer is internal) IAxelarExecutable.sol: function _executeWithToken parameter sourceChain isn't used. (_executeWithToken is internal) TokenDeployer.sol: function deployToken parameter decimals isn't used. (deployToken is external) IAxelarExecutable.sol: function _executeWithToken parameter payload isn't used. (_executeWithToken is internal) ERC20.sol: function _beforeTokenTransfer parameter to isn't used. (_beforeTokenTransfer is internal) IAxelarExecutable.sol: function _execute parameter payload isn't used. (_execute is internal) IAxelarForecallable.sol: function _executeWithToken parameter sourceChain isn't used. (_executeWithToken is internal) IAxelarForecallable.sol: function _executeWithToken parameter payload isn't used. (_executeWithToken is internal) AxelarDepositService.sol: function sendTokenDeposit parameter salt isn't used. (sendTokenDeposit is external) IAxelarForecallable.sol: function _execute parameter payload isn't used. (_execute is internal) IAxelarForecallable.sol: function _checkForecall parameter sourceChain isn't used. (_checkForecall is internal) IAxelarForecallable.sol: function _checkForecallWithToken parameter forecaller isn't used. (_checkForecallWithToken is internal)
Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.
https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L189 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L65 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/gas-service/AxelarGasService.sol#L144 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/gas-service/AxelarGasService.sol#L128 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/interfaces/IAxelarForecallable.sol#L81 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/gas-service/AxelarGasService.sol#L46 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/deposit-service/ReceiverImplementation.sol#L51 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L65 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L210 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L170 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/XC20Wrapper.sol#L87 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L108 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L189 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/deposit-service/ReceiverImplementation.sol#L23 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/interfaces/IAxelarForecallable.sol#L58 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/gas-service/AxelarGasService.sol#L21 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L108 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/XC20Wrapper.sol#L76 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/XC20Wrapper.sol#L63 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/gas-service/AxelarGasService.sol#L105 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L210 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L170 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/XC20Wrapper.sol#L125 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/deposit-service/ReceiverImplementation.sol#L71
The following functions are missing commenting as describe below:
Proxy.sol, init (external), parameters implementationAddress, newOwner, params not commented AxelarGatewayProxy.sol, setup (external), parameter params not commented Proxy.sol, setup (public), parameter data not commented
To give more trust to users: functions that set key/critical variables should be put behind a timelock.
https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/Proxy.sol#L38 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/XC20Wrapper.sol#L44 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/AxelarGateway.sol#L204 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/util/Upgradable.sol#L64 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/Upgradable.sol#L66 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/AxelarGateway.sol#L241 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/util/Proxy.sol#L64 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/AxelarGatewayProxy.sol#L26
Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.
approve without approving 0 first ReceiverImplementation.sol, 63, IERC20(wrappedTokenAddress).approve(gateway, amount);
approve without approving 0 first AxelarDepositService.sol, 29, IERC20(wrappedTokenAddress).approve(gateway, amount);
approve without approving 0 first ReceiverImplementation.sol, 37, IERC20(tokenAddress).approve(gateway, amount);
The functions below fail to perform input validation on arrays to verify the lengths match. A mismatch could lead to an exception or undefined behavior. Consider making this a medium risk please.
https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/auth/AxelarAuthWeighted.sol#L86 _validateSignatures ['operators', 'weights', 'signatures']
AxelarGasService.sol.payGasForContractCallWithToken inherent IAxelarGasService.sol.payGasForContractCallWithToken but the parameters does not match https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/interfaces/IAxelarGasService.sol#L71
There are ERC20 tokens that charge fee for every transfer() / transferFrom().
Vault.sol#addValue() assumes that the received amount is the same as the transfer amount, and uses it to calculate attributions, balance amounts, etc. But, the actual transferred amount can be lower for those tokens. Therefore it's recommended to use the balance change before and after the transfer instead of the amount. This way you also support the tokens with transfer fee - that are popular.
https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L189 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L189 https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L170 https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L170
Some tokens don't correctly implement the EIP20 standard and their approve function returns void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert. Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the mentioned contracts as they revert the transaction because of the missing return value. We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handle the return value check as well as non-standard-compliant tokens. The list of occurrences in format (solidity file, line number, actual line)
AxelarDepositService.sol, 29, IERC20(wrappedTokenAddress).approve(gateway, amount);
ReceiverImplementation.sol, 63, IERC20(wrappedTokenAddress).approve(gateway, amount);
ReceiverImplementation.sol, 37, IERC20(tokenAddress).approve(gateway, amount);
Need to use safeTransfer instead of transfer. As there are popular tokens, such as USDT that transfer/trasnferFrom method doesn’t return anything. The transfer return value has to be checked (as there are some other tokens that returns false instead revert), that means you must
ReceiverImplementation.sol, 86 (receiveAndUnwrapNative), recipient.transfer(amount);
#0 - re1ro
2022-08-05T00:42:54Z
Yup. Good spot
Yup. Dup #3
Not applicable. We allow 0 for refund address by design
Not applicable. Our interfaces allow more broad solidity version, so they can be used in other project. Our contracts have fixed solidity version.
Good spot.
Good spot.
Good spot.
Not applicable. Those virtual functions are meant to be overridden by inheriting contracts
Ack
Ack
Not applicable by design
Yup. Dup of #3
Not applicable. Lengths are checked in _transferOperatorship
Override function but with different argument location
Good spot
Tokens with fee on transfer are not supported
Good spot
approve return value is ignored
Good spot
Not applicable. Those are native ether transfers.
#1 - GalloDaSballo
2022-09-04T21:17:59Z
NC
Disputed as usage is fine
##Â 3 Not verified input L
NC
See 3
##Â 6 Named return issue R
NC
Disputed as it's all interfaces
NC
L
L
Skipped the ones I disagree with / are redundant
3L 1R 4NC
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0xNazgul, 0xsam, 8olidity, Aymen0909, Bnke0x0, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Fitraldys, JC, Lambda, MiloTruck, Noah3o6, NoamYakov, RedOneN, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Tomio, Waze, __141345__, a12jmx, ajtra, ak1, apostle0x01, asutorufos, benbaessler, bharg4v, bulej93, c3phas, defsec, djxploit, durianSausage, erictee, fatherOfBlocks, gerdusx, gogo, kyteg, lucacez, medikko, mics, owenthurm, oyc_109, rbserver, robee, sashik_eth, simon135, tofunmi
31.8812 USDC - $31.88
Change if -> revert pattern to 'require' to save gas and improve code quality, if (some_condition) { revert(revert_message) }
to: require(!some_condition, revert_message)
In the following locations:
DepositReceiver.sol, 17
We recommend not to cache msg.sender since calling it is 2 gas while reading a variable is more.
https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/Ownable.sol#L12
The following functions are used exactly once. Therefore you can inline them and save gas and improve code clearness.
AdminMultisigBase.sol, _adminEpoch AxelarGateway.sol, _setTokenDailyMintAmount AdminMultisigBase.sol, _getVoteCount AdminMultisigBase.sol, _hasVoted
In the following files there are state variables that could be set immutable to save gas.
gateway in IAxelarExecutable.sol DOMAIN_SEPARATOR in ERC20Permit.sol
Unused state variables are gas consuming at deployment (since they are located in storage) and are a bad code practice. Removing those variables will decrease deployment gas cost and improve code quality. This is a full list of all the unused storage variables we found in your code base.
DepositBase.sol, refundToken
There are places in the code (especially in for-each loops) that loads the same array element more than once. In such cases, only one array boundaries check should take place, and the rest are unnecessary. Therefore, this array element should be cached in a local variable and then be loaded again using this local variable, skipping the redundant second array boundaries check:
AxelarAuthWeighted.sol._isSortedAscAndContainsNoDuplicate - double load of accounts[i]
Caching the array length is more gas efficient. This is because access to a local variable in solidity is more efficient than query storage / calldata / memory. We recommend to change from:
for (uint256 i=0; i<array.length; i++) { ... }
to:
uint len = array.length for (uint256 i=0; i<len; i++) { ... }
AxelarAuthWeighted.sol, recentOperators, 17 AxelarDepositService.sol, refundTokens, 168 AxelarDepositService.sol, refundTokens, 204 AxelarGasService.sol, tokens, 123 AxelarAuthWeighted.sol, signatures, 98 AxelarGateway.sol, symbols, 207 AxelarDepositService.sol, refundTokens, 114
Prefix increments are cheaper than postfix increments.
Further more, using unchecked {++x} is even more gas efficient, and the gas saving accumulates every iteration and can make a real change
There is no risk of overflow caused by increamenting the iteration index in for loops (the ++i in for (uint256 i = 0; i < numIterations; ++i)).
But increments perform overflow checks that are not necessary in this case.
These functions use not using prefix increments (++x) or not using the unchecked keyword:
change to prefix increment and unchecked: AxelarGasService.sol, i, 123 change to prefix increment and unchecked: AxelarGateway.sol, i, 207 just change to unchecked: AxelarAuthWeighted.sol, i, 69 just change to unchecked: AxelarAuthWeighted.sol, i, 98 just change to unchecked: AxelarAuthWeighted.sol, i, 17 just change to unchecked: AxelarGateway.sol, i, 195 change to prefix increment and unchecked: AxelarDepositService.sol, i, 114 just change to unchecked: AxelarAuthWeighted.sol, i, 116 just change to unchecked: AxelarGateway.sol, i, 292 just change to unchecked: AdminMultisigBase.sol, i, 158 change to prefix increment and unchecked: AxelarDepositService.sol, i, 168 change to prefix increment and unchecked: AxelarDepositService.sol, i, 204 just change to unchecked: AdminMultisigBase.sol, i, 51
In for loops you initialize the index to start from 0, but it already initialized to 0 in default and this assignment cost gas. It is more clear and gas efficient to declare without assigning 0 and will have the same meaning:
AxelarAuthWeighted.sol, 98 AxelarGateway.sol, 207 AxelarAuthWeighted.sol, 69
Using != 0 is slightly cheaper than > 0. (see https://github.com/code-423n4/2021-12-maple-findings/issues/75 for similar issue)
AxelarDepositService.sol, 165: change 'balance > 0' to 'balance != 0' ReceiverImplementation.sol, 71: change 'balance > 0' to 'balance != 0' ReceiverImplementation.sol, 23: change 'balance > 0' to 'balance != 0' ReceiverImplementation.sol, 51: change 'balance > 0' to 'balance != 0'
#0 - re1ro
2022-08-05T00:55:45Z
Not applicable. You can't use custom error messages with require
Not applicable. We writing owner to the storage, not caching it.
We prefer cleaner code.
Good spot
It is actually used by inheriting contract. But we will consider moving it there
Unnecessary array boundaries check when loading an array element twice
Good spot
https://github.com/axelarnetwork/axelar-cgp-solidity/pull/135
Yup. Dup #2
Yup. Dup #2
Yup. Dup #2
Yup. Dup #14
#1 - GalloDaSballo
2022-08-25T01:33:19Z
Less than 300 gas