Lines of code
<https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/its/interchain-token/InterchainToken.sol#L1-L106>
A large token holder can send back and forth tokens, using the flow limit to the capacity in start of every epoch making the system unusable for everyone else.
Interchain tokens can be transferred from one chain to another via the token manager and interchain token service.
And there is a limit imposed, for both the flow out and flow in.
Flow out happens when we send the token from one chain to another. Lets say arbitrum to optimism and we are sending USDC. So in this case, in context of arbitrum it will be flow out and in context of optimism it will be flow in and and receiver on optimism will get the tokens via the token manager βgiveToken()β callable by the inter chain token service.
But there is a flow limit impose per epoch.
One Epoch = 6 hours long.
So there cannot be more than certain amount of tokens sent between the chain per 6 hours. This is done to protect from the uncertain conditions like a security breach and to secure as much of tokens as possible.
But the problem with such design is big token holder or whale could easily exploit it to DOS the other users.
Consider the following scenerio:
This attack is pretty simple and easy to acheive and also very cheap to do, specifically on the L2βs or other cheap chains due to low gas price.
Function using the flow limit utility in tokenManager.sol are following
function sendToken(
string calldata destinationChain,
bytes calldata destinationAddress,
uint256 amount,
bytes calldata metadata
) external payable virtual {
address sender = msg.sender;
amount = _takeToken(sender, amount);
_addFlowOut(amount);
interchainTokenService.transmitSendToken{ value: msg.value }(
_getTokenId(),
sender,
destinationChain,
destinationAddress,
amount,
metadata
);
}
/**
* @notice Calls the service to initiate the a cross-chain transfer with data after taking the appropriate amount of tokens from the user.
* @param destinationChain the name of the chain to send tokens to.
* @param destinationAddress the address of the user to send tokens to.
* @param amount the amount of tokens to take from msg.sender.
* @param data the data to pass to the destination contract.
*/
function callContractWithInterchainToken(
string calldata destinationChain,
bytes calldata destinationAddress,
uint256 amount,
bytes calldata data
) external payable virtual {
address sender = msg.sender;
amount = _takeToken(sender, amount);
_addFlowOut(amount);
uint32 version = 0;
interchainTokenService.transmitSendToken{ value: msg.value }(
_getTokenId(),
sender,
destinationChain,
destinationAddress,
amount,
abi.encodePacked(version, data)
);
}
/**
* @notice Calls the service to initiate the a cross-chain transfer after taking the appropriate amount of tokens from the user. This can only be called by the token itself.
* @param sender the address of the user paying for the cross chain transfer.
* @param destinationChain the name of the chain to send tokens to.
* @param destinationAddress the address of the user to send tokens to.
* @param amount the amount of tokens to take from msg.sender.
*/
function transmitInterchainTransfer(
address sender,
string calldata destinationChain,
bytes calldata destinationAddress,
uint256 amount,
bytes calldata metadata
) external payable virtual onlyToken {
amount = _takeToken(sender, amount);
_addFlowOut(amount);
interchainTokenService.transmitSendToken{ value: msg.value }(
_getTokenId(),
sender,
destinationChain,
destinationAddress,
amount,
metadata
);
}
/**
* @notice This function gives token to a specified address. Can only be called by the service.
* @param destinationAddress the address to give tokens to.
* @param amount the amount of token to give.
* @return the amount of token actually given, which will onle be differen than amount in cases where the token takes some on-transfer fee.
*/
function giveToken(address destinationAddress, uint256 amount) external onlyService returns (uint256) {
amount = _giveToken(destinationAddress, amount);
_addFlowIn(amount);
return amount;
}
/**
* @notice This function sets the flow limit for this TokenManager. Can only be called by the operator.
* @param flowLimit the maximum difference between the tokens flowing in and/or out at any given interval of time (6h)
*/
function setFlowLimit(uint256 flowLimit) external onlyOperator {
_setFlowLimit(flowLimit);
}
Manual review
There could be many solution for this one. But two solutions from top of my head are:
Do the chainlink way CCIP way, chainlink recently launched cross chain service solved the similar problem by imposing the token bps fee, by imposing such fee along with gas fee, cost of attack becomes way higher and system can be protected from such attack.
Introduce the mechanism of limit per account, instead of whole limit. But that can be exploited too by doing it through multiple accounts.
Chainlinkβs way would be the better solution to go with IMO.
DoS
The text was updated successfully, but these errors were encountered:
All reactions