Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-04-AXELAR-FINDINGS-ISSUES-12
HistoryApr 11, 2022 - 12:00 a.m.

User's funds can get lost when transferring to other chain

2022-04-1100:00:00
Code4rena
github.com
5
funds lost
chain transfers
tokens burned
mitigation steps
axelargateway
JSON

Lines of code

Vulnerability details

Impact

When transferring tokens to other chain, the tokens in the source chain are burned - if they are external they will be transferred to the AxelarGateway, otherwise they will be burned. In the target chain the same amount of tokens will be minted for the user - if it is external it will be transferred to him from the AxelarGateway, otherwise it will be minted to him.
But there is a problem - if the AxelarGateway doesn’t have the needed amount of token for some reason, the _callERC20Token with the transfer function selector will fail and return false, which will make the _mintToken function revert. Because it reverted, the user won’t get his funds on the destination chain, although he payed the needed amount in the source chain.

Tools Used

VS Code and Remix

Recommended Mitigation Steps

Instead of reverting when the transfer is not successful, simply call the callContractWithToken with the source chain as the destination chain in order to return the user his funds.

The text was updated successfully, but these errors were encountered:

All reactions

JSON