Platform: Code4rena
Start Date: 01/09/2023
Pot Size: $36,500 USDC
Total HM: 4
Participants: 70
Period: 6 days
Judge: kirk-baird
Id: 281
League: ETH
Rank: 29/70
Findings: 1
Award: $132.84
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Udsen
Also found by: 0xDING99YA, 0xpiken, Inspecktor, SpicyMeatball, adriro, ast3ros, bin2chen, bowtiedvirus, kutugu, pep7siup, seerether
132.8375 USDC - $132.84
The first few transactions becomes vulnerable to replay attacks, where an attacker can mint additional tokens. This can lead to loss of funds or token inflation.
The nonce is incremented on every call to burnAndCallAxelar(). It is used to prevent replay attacks - if someone sees a payload go through, they shouldn't be able to just re-send the same payload and have it go through again.
Starting the nonce at 0 means the first transaction will use a nonce of 0. If someone sees this payload, they could re-send it since the contract has no way of knowing this nonce was already used.
A proof of concept attack:
Alice calls burnAndCallAxelar() with amount 100 and nonce 0 Eve sees this transaction go through Eve calls burnAndCallAxelar() with amount 100 and nonce 0 The contract sees nonce 0 has not been used before, allows the transaction This effectively mints an extra 100 tokens for Eve by replaying Alice's transaction.
The nonce should be initialized to a random number
Other
#0 - raymondfam
2023-09-08T01:03:33Z
The sender will be different, leading to different payloads.
#1 - c4-pre-sort
2023-09-08T01:03:39Z
raymondfam marked the issue as low quality report
#2 - c4-pre-sort
2023-09-08T01:03:44Z
raymondfam marked the issue as primary issue
#3 - c4-pre-sort
2023-09-10T03:54:37Z
raymondfam marked the issue as duplicate of #162
#4 - c4-judge
2023-09-17T06:41:34Z
kirk-baird marked the issue as partial-50
#5 - c4-judge
2023-09-26T03:03:40Z
kirk-baird changed the severity to 2 (Med Risk)