Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-07-AXELAR-FINDINGS-ISSUES-494
HistoryJul 21, 2023 - 12:00 a.m.

Attacker can steal funcds from InterchainProposalExecutor contract

2023-07-2100:00:00
Code4rena
github.com
vulnerability
interchainproposalsender
theft of funds
interchainproposalexecutor
validation
mitigation

7 High

AI Score

Confidence

Low

JSON

Lines of code
<https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/interchain-governance-executor/InterchainProposalExecutor.sol#L22&gt;

Vulnerability details

Impact

In InterchainProposalSender users can send proposals to diffrent chains by passing the call data InterchainCalls.Call into sendProposals or sendProposal functions, this struct contains another struct Call which contains target, value and call data, but these payable functions doesn’t check the msg.value with value to see if sender sent the value that they want to send to destination chain, it just checks the msg.value for the gas they want to send not the value.

since the sent proposals can be executed in InterchainProposalExecutor contract by callers and the _executeProposal function sends the value to target address this contract’s balance can be stolen

Proof of Concept

here is the _sendPropsal functions which doesn’t check for msg.value

    function _sendProposal(InterchainCalls.InterchainCall memory interchainCall) internal {
        bytes memory payload = abi.encode(msg.sender, interchainCall.calls);

        if (interchainCall.gas &gt; 0) {
            gasService.payNativeGasForContractCall{ value: interchainCall.gas }(
                address(this),
                interchainCall.destinationChain,
                interchainCall.destinationContract,
                payload,
                msg.sender
            );
        }

        gateway.callContract(interchainCall.destinationChain, interchainCall.destinationContract, payload);
    }

Recommended Mitigation Steps

in sendProposals which calls revertIfInvalidFee function you should also check for values

The function should look like this

    function revertIfInvalidFee(InterchainCalls.InterchainCall[] calldata interchainCalls) private {
        uint256 totalGas = 0;
        uint256 totalValue = 0;
        for (uint256 i = 0; i &lt; interchainCalls.length; ) {
            totalGas += interchainCalls[i].gas;
            totalValue += interchainCalls[i].calls.value;
            unchecked {
                ++i;
            }
        }

        if (totalGas + totalValue != msg.value) {
            revert InvalidFee();
        }
    }

in sendProposal you can check for it as same but insted only for one proposal.

Assessed type

Invalid Validation

The text was updated successfully, but these errors were encountered:

All reactions

7 High

AI Score

Confidence

Low

JSON