Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-12-POOLTOGETHER-FINDINGS-ISSUES-152
HistoryDec 05, 2022 - 12:00 a.m.

Missing msg.value when executing the cross-chain request

2022-12-0500:00:00
Code4rena
github.com
5
vulnerability
impact
proof of concept
tools used
mitigation steps
cross-chain
eth payment
smart contract
execution side
JSON

Lines of code
<https://github.com/pooltogether/ERC5164/blob/5647bd84f2a6d1a37f41394874d567e45a97bf48/src/ethereum-optimism/EthereumToOptimismExecutor.sol#L45&gt;
<https://github.com/pooltogether/ERC5164/blob/5647bd84f2a6d1a37f41394874d567e45a97bf48/src/ethereum-polygon/EthereumToPolygonExecutor.sol#L57&gt;
<https://github.com/pooltogether/ERC5164/blob/5647bd84f2a6d1a37f41394874d567e45a97bf48/src/libraries/CallLib.sol#L64&gt;

Vulnerability details

Impact

the cross-chain request will not support smart contract that requires ETH payment in destination chain on execution side.

Proof of Concept

When a user relayers call and performs a cross-chain request, the executor needs to execute the request in the destination chain.

In this line:

CallLib.executeCalls(_nonce, _sender, _calls, _executedNonce);

which calls:

(bool _success, bytes memory _returnData) = _call.target.call(
abi.encodePacked(_call.data, _nonce, _sender)
);

if (!_success) {
revert CallFailure(_callIndex, _returnData);
}

because the function executeCalls is not marked as payable and cannot receive ETH,

the _call.target.call does not forward ETH (not _call.target.call{value: msg.value}(…)

the cross-chain cannot execute and support smart contract call request the ETH value.

for example, in Polygon, the user is not able to execute the function swapExactETHForTokens in Quickswap V2 Router because the function is payable and request ETH to be forwarded.

function swapExactETHForTokens(uint amountOutMin, address[] calldata path, address to, uint deadline)
	external
	virtual
	override
	payable
	ensure(deadline)
	returns (uint[] memory amounts)
{

<https://polygonscan.com/address/0xa5e0829caced8ffdd4de3c43696c57f7d7a678ff#code#L638&gt;

Tools Used

Manual Review

Recommended Mitigation Steps

We recommend the project make the executeCall on the execution side payable and add msg.value when calling the smart contract.

/// @inheritdoc ICrossChainExecutor
function executeCalls(
uint256 _nonce,
address _sender,
CallLib.Call[] calldata _calls
) payable external {

and

(bool _success, bytes memory _returnData) = _call.target.call{value: msg.value}(
abi.encodePacked(_call.data, _nonce, _sender)
);

The text was updated successfully, but these errors were encountered:

All reactions

JSON