Lines of code

Vulnerability details

Impact

Malicious DepositBase may stole dust fund from ReceiverImplementation

Proof of Concept

    // @dev This function is used for delegate by DepositReceiver deployed above
    // Context: msg.sender == AxelarDepositService, this == DepositReceiver
    function receiveAndSendToken(
        address payable refundAddress,
        string calldata destinationChain,
        string calldata destinationAddress,
        string calldata symbol
    ) external {
        // Always refunding native otherwise it's sent on DepositReceiver self destruction
        if (address(this).balance > 0) refundAddress.transfer(address(this).balance);

        address tokenAddress = IAxelarGateway(gateway).tokenAddresses(symbol);
        // Checking with AxelarDepositService if need to refund a token
        address refund = DepositBase(msg.sender).refundToken();
        if (refund != address(0)) {
            _safeTransfer(refund, refundAddress, IERC20(refund).balanceOf(address(this)));
            return;
        }

        uint256 amount = IERC20(tokenAddress).balanceOf(address(this));

        if (amount == 0) revert NothingDeposited();

        // Sending the token trough the gateway
        IERC20(tokenAddress).approve(gateway, amount);
        IAxelarGateway(gateway).sendToken(destinationChain, destinationAddress, symbol, amount);
    }

Attacker just craft a malicious DepositBase with refundToken has a value of token address that he want to steal. And call ReceiverImplementation.receiveAndSendToken from that contract to get both dust native token from if (address(this).balance > 0) refundAddress.transfer(address(this).balance); and ERC20 token from _safeTransfer(refund, refundAddress, IERC20(refund).balanceOf(address(this)));

Tools Used

Manual review

Recommended Mitigation Steps

Whitelist the valid AxelarDepositService

The text was updated successfully, but these errors were encountered:

All reactions