THIS IS A TEST

Lines of code L1 Vulnerability details TESTING REFACTOR Assessed type Context --- The text was updated successfully, but these errors were encountered: All reactions...

TESTING CHANGE SEVERITY

Lines of code L1 Vulnerability details TESTING REFACTOR Assessed type Context --- The text was updated successfully, but these errors were encountered: All reactions...

InterchainTokenService.expressReceiveTokenWithData does not apply Check-Effect-Interaction mode

Lines of code Vulnerability details Impact InterchainTokenService.expressReceiveTokenWithData does not apply the Check-Effect-Interaction pattern. In some edge cases, the caller can lose funds. Proof of Concept The life cycle of sending token across chains contains 3 phases: //P1: launch on sourc...

Users who call expressReceiveTokenWithData or expressReceiveToken can griefed to pay for fees

Lines of code Vulnerability details Impact A user or service who calls expressReceiveTokenWithData or expressReceiveToken generally waits for an event associated with either callContractWithInterchainToken or sendToken to be emitted on a second chain. When they see this event, they will call...

AxelarGateway.sol: external setup funtion allow anyone to set governance_, mintLimiter_ and operator

Lines of code Vulnerability details Impact Anyone can call through the setup function and pass the params to set the mintlimiter, operator and governance. Proof of Concept As we can in above link, the setup function is called to set the mint limiter, operator and governance address. As per natsc...

Addresses in modifier not set correctly

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Addresses that are mintlimiter but not governance will revert thus being able not to call some functions as intended. Proof of Concept In the comment it was stated that it is either mint limiter or...

Attacker can create additional canonical token bridge

Lines of code Vulnerability details Impact Deployers of custom TokenManagers can subvert the limitation imposed in the documentation that allows only one Canonical Bridges for each existing ERC20 token: “deployers can deploy a Canonical Bridge for any token they want, this can be done only once p...

sendToken() shouldn't have metadata parameter

Lines of code Vulnerability details Impact Users calling sendToken with metadata may trigger a revert or lose the calldata if its size is 1-3 bytes when the destination is an EOA. Proof of Concept In transmitSendToken, we discard the calldata if it's less than 4 bytes, and revert if it's bigger o...

Honest users could lose funds due to the current implementation of executeProposal()

Lines of code Vulnerability details Impact In the InterChainGovernance.sol contract, the executeProposal function lacks an explicit check to ensure that the msg.value provided with the function call is greater than or equal to the nativeValue specified. After an extensive discussion with the...

Replay Attack Vulnerability Due to Uniqueness Invariant Violation in AxelarServiceGovernance Contract's Proposal Hash Generation

Lines of code Vulnerability details Impact The current implementation of the AxelarServiceGovernance contract relies solely on the Keccak256 algorithm to generate proposal hashes, using only the target contract's address, encoded function call data, and the native token transfer value as...

Risk of Rogue Signer Control: Potential for Malicious Signer to Modify Threshold and Gain Unauthorized Control of Multisig Contract

Lines of code Vulnerability details Impact The "Rotation of Signers" mechanism in the Multisig contract poses a risk of a single rogue or compromised signer gaining unauthorized control of the contract. If a signer with malicious intent or compromised credentials utilizes the rotateSigners...

InterchainProposalExecutor doesn't support actions with value

Lines of code Vulnerability details Impact An interchain call consists of the target address, calldata, and value. When InterchainProposalExecutor performs the call, it passes the value along function executeProposalInterchainCalls.Call memory calls internal for uint256 i = 0; i calls.length; i++...

StandardizedToken can be setup multiple times by anyone. Causing unlimited mint by anyone.

Lines of code Vulnerability details Impact StandardizedToken can be setup multiple times by anyone. Causing unlimited mint by anyone. Proof of Concept function setupbytes calldata params external override onlyProxy address distributor; address tokenManager; string memory tokenName; tokenManager,...

Collateralization ratio manipulation can cause a denial of service

Lines of code Vulnerability details Impact Stablecoin redeeming and profit accruing in the SavingsVest contract can be blocked when the collateralization ratio has overflown. Proof of Concept The mitigation recommended in 31 and implemented by the sponsor in this commit doesn't resolve the root...

Using controlled delegatecall could in calling _deployTokenManager.tokenManagerDeploy()

Lines of code Vulnerability details Impact The use of delegatecall in this context poses a security risk. When using delegatecall, the called contract's code is executed within the context of the calling contract. This means that the deployTokenManager function is executed as if it is part of the...

M-06 Unmitigated

Lines of code Vulnerability details Original Issue code-423n4/2023-06-angle-findings13 Details This issue shows users may lose a portion of yield when protocolSafetyFee and vestingPeriod are changed. As mitigation, it recommends accruing interests before those parameters are changed. Mitigation P...

Proposal cannot be executed if signers update their accounts and threshold halfway

Lines of code Vulnerability details Impact If signers update their accounts and threshold halfway into voting, then the proposal cannot be executed anymore Proof of Concept execute is protected under onlySigners function execute address target, bytes calldata callData, uint256 nativeValue -...

Payable functions using delegatecall inside a loop

Lines of code Vulnerability details Impact The use of delegatecall within a loop, in the context of a payable function, can lead to the repeated crediting of the msg.value amount, potentially causing unexpected behavior or loss of funds. Proof of Concept contract DelegatecallInLoop is Multicall...

bypass flow limit by transferring tokens at epoch's boarder

Lines of code Vulnerability details Impact Token flow can reach 2flowlimit in a very short time. Proof of Concept We store the flow out and flow in tokens numbers for every epoch: / @dev Returns the slot which is used to get the flow out amount for a specific epoch @param epoch The epoch to get t...

Attacker can steal funcds from InterchainProposalExecutor contract

Lines of code Vulnerability details Impact In InterchainProposalSender users can send proposals to diffrent chains by passing the call data InterchainCalls.Call into sendProposals or sendProposal functions, this struct contains another struct Call which contains target, value and call data, but...

A Remote InterchainTokenService will not be able to call _execute() because incorrect validation of hashes due to wrong conversion of address to lowercase

Lines of code Vulnerability details Proof of Concept The ASCII table contains letters, numbers, control characters, and other symbols. Each character is assigned a unique 7-bit code. ASCII is an acronym for American Standard Code for Information Interchange. The ASCII code for uppercase 'A' is 65...

Users can abuse multicall feature on InterchainTokenService to steal contract funds

Lines of code Vulnerability details Impact Users can steal balance in InterchainTokenService to pay gas fees for remote chain calls through multicall in InterchainTokenService.sol. Proof of Concept User can send multiple calls at the same time on InterchainTokenService contract with the help of...

The is no way for native tokens to get sent to InterchainProposalExecutor

Lines of code Vulnerability details Impact Proposals that require value cannot be executed as native tokens on the other side of the bridge cannot be provided. Proof of Concept Proposals have a value parameter, which allows users to specify what amount of native tokens should be passed when calli...

Voter/caller's eth will be stuck in contracts if the proposal fails to pass

Lines of code Vulnerability details Impact Voters of AxelarServiceGovernance.sol:executeMultisigProposal or callers of Multisig.sol:execute will have their eth stuck in the contract if they can't make the proposal/call pass the vote count checks in onlySigners. Proof of Concept...

funds can be stolen in InterchainGovernance, Multisig and AxelarServiceGovernance contracts

Lines of code Vulnerability details Impact In InterchainGovernance users can execute the proposal by passing required data and the amount of native value they want to send with executeProposal function, this function calls call function in Caller contract, but this function insted of checking...

Interchain token transfer can be Dossed Due To Flow Limit

Lines of code Vulnerability details Impact A large token holder can send back and forth tokens, using the flow limit to the capacity in start of every epoch making the system unusable for everyone else. Proof of Concept Interchain tokens can be transferred from one chain to another via the token...

Malicious user can permanently break InterchainProposalExecutor#_executeProposal by returning huge amounts of data

Lines of code Vulnerability details Impact InterchainProposalExecutorexecuteProposal makes a call to interchaincall to send the value. It then stores the return data of the call in memory. A malicious user could set the interchaincall target to a malicious contract that would return an extremely...

A reorg on the origin chain after a proposal has been validated will result in loss of funds for the protocol

Lines of code Vulnerability details Impact The protocol will lose the funds that the user sent to the origin chain InterchainProposalSender contract for the proposal. Proof of Concept When a proposal gets submitted it gets reviewed by validators on the Axelar network and then receives a validatio...

balance of the recipient to is updated after the token transfer (safeTransferFrom function) could lead to reentrancy attack

Lines of code Vulnerability details Impact The balance of the recipient to is updated after the token transfer safeTransferFrom function. If the safeTransferFrom function triggers an external contract, and that contract, in turn, calls back to this contract, it can result in a reentrancy attack...

[H] Address collisions due to lack of check on the salt parameter

Lines of code Vulnerability details Impact In ConstAddressDeployer, functions deploy and deployAndInit do not check for the same salt value being passed in by different users. This can lead to address collisions. If someone passes the same salt value as someone else, even with different bytecode...

MID-Risk Vulnerabilities in the Axelar Smart Contracts

Lines of code s://github.com/code-423n4/2023-07-axelar/tree/main/contracts/cgp/governance/AxelarServiceGovernance.solL73 Vulnerability details Impact The vulnerabilities that I have identified could have a significant impact on the Axelar network. These vulnerabilities could be exploited by an...

Unauthorized Contract Upgrade Vulnerability in Upgradable Contract

Lines of code Vulnerability details In the "upgrade" function, the contract allows the owner to upgrade the contract to a new implementation using the provided address and code hash. However, there is a flaw in the implementation that can allow an attacker to bypass the contract upgrade checks an...

All co-signers pay during executeMultisigProposal

Lines of code Vulnerability details Impact The executeMultisigProposal will receive payment from all cosigners when only one payment of nativeValue amount is required. Proof of Concept The executeMultisigProposal requires native payment and therefore requires the caller to pay an amount equivalen...

InitProxy and Proxy may revert preventing successful init

Lines of code Vulnerability details Impact When InitProxy is constructed the owner is set to be the sender address so that the init function can only be called by the same sender address. If the init function is receiving a new owner, the implementation may revert during setup preventing proxy...

LACK OF VALIDATION CHECK COULD LEAD TO WRONG TOKEN TRANSFERS THUS BREAKING THE PROTOCOL

Lines of code Vulnerability details Impact The InterchainTokenService.processSendTokenWithDataPayload function is used to process the received token amount with data at the destination InterchainTokenService contract. The received token amount is transferred to either the expressCaller or the...

InterchainProposalExecutor will fail if any proposal requires value transfer, breaking core logic

Lines of code Vulnerability details Impact Proposals which are sent from a source chain using InterchainProposalSender to a destination chain to be executed using InterchainProposalExecutor are intended to support function calls that include transfers of ETH, or other native token. However, the...

Reentrant Call Vulnerability in ExpressCallHandler Contract

Lines of code Vulnerability details DISCRIPTION The ExpressCallHandler contract contains a potential bug related to handling the express calls. The issue lies in the setExpressReceiveToken and setExpressReceiveTokenWithData functions. Specifically, these functions don't properly handle reentrant...

Multisig's functionality is impaired when Signers#threshold is 1

Lines of code Vulnerability details Impact Multisig's functionality is impaired when Signersthreshold is 1. Imagine the Signersthreshold is 1, so an individual signer is possible claim all the funds from Multisig without the need for other signers to vote. It is logical that at least 2 people...

newGovernance COULD BE SET TO A WRONG ADDRESS THUS FREEZING CERTAIN FUNCTIONS

Lines of code Vulnerability details Impact The AxelarGateway.transferGovernance function is used to set the newGovernance address in the storage of the AxelarGateway contract. It is performed as follows: function transferGovernanceaddress newGovernance external override onlyGovernance if...

Potential Reentrancy in onlyAdmin modifier

Lines of code Vulnerability details The vulnerability lies in the AdminMultisigBase contract, in the onlyAdmin modifier. The onlyAdmin modifier does not prevent reentrancy, which can lead to a potential reentrancy vulnerability. The vulnerable part of the code: modifier onlyAdmin uint256 adminEpo...

Insecure minimum threshold in _rotateSigners function

Lines of code Vulnerability details Impact Insecure minimum threshold in rotateSigners function can cause execution of malicious multisig proposals with unexpected results. Proof of Concept The rotateSigners is the only function which can initialize multisig parameters. This function has zero che...

A whale can DoS the token service by reaching flowlimit

Lines of code Vulnerability details Impact Clients can't transfer tokens between chains because the flow limit is reached. Proof of Concept In FlowLimit.sol:addFlow, we revert if current flowToAdd + flowAmount flowToCompare + flowLimit: uint256 flowToAdd; uint256 flowToCompare; assembly flowToAdd...

Gas refunds are returned to the wrong address, leading to loss of funds for the payer

Lines of code Vulnerability details Impact To pay for cross-chain messages/calls, a user/third-party service must pay a reasonable fee in this case using the native token. However, often times a user will overpay to ensure that there is an adequate buffer for their tx to successfully succeed in...

onlyProxy MODIFIER CAN BE BYPASSED BY A MALICIOUS PROXY CONTRACT AND CAN PUSH THE IMPLEMENTATION CONTRACT INTO AN UNDESIRABLE STATE

Lines of code Vulnerability details Impact The Upgradeable.onlyProxy modifier is used to ensure that a function can only be called by the proxy and can not be directly called in the Upgradeable.sol contract. The onlyProxy modifier implementation is as follows: modifier onlyProxy // Prevent setup...

MID-Risk Vulnerabilities in the Axelar Smart Contracts

Lines of code Vulnerability details Impact The vulnerabilities that I have identified could have a significant impact on the Axelar network. These vulnerabilities could be exploited by an attacker to: Gain control of the Axelar network by proposing and voting on malicious proposals. Mint or burn...

MultisigBase.sol : Unsafe onlySigners modifier

Lines of code Vulnerability details Impact The multi sig based implementation will not serve its purpose. Proposals can be executed even by a single signer. Proof of Concept Contract has the MultisigBase implementation which will be used as a custom multisignature wallet where transactions must b...

M-02 Unmitigated

Lines of code Vulnerability details Original Issue code-423n4/2023-06-angle-findings31 Details It shows LibGetters.getCollateralRatio might return the incorrect ratio due to the unsafe cast. Mitigation PR: AngleProtocol/angle-transmuter@6f2ffcb During the mitigation, it uses the safeCast library...

Using controlled delegatecall, to call InterchainTokenService._deployStandardizedToken contract instead of call()

Lines of code Vulnerability details Impact When using delegatecall, the called contract's code is executed within the context of the calling contract. This means that the deployStandardizedToken function is executed as if it is part of the current contract, and it can potentially modify the state...

TokenManager.sendToken/callContractWithInterchainToken/transmitInterchainTransfer require re-entry protection

Lines of code Vulnerability details Impact Anyone can deploy a TokenManagerLockUnlock for the existing ERC20 via registerCanonicalToken, and deploy the corresponding token on a target chain via deployRemoteCanonicalToken. After the TokenManagers of the two chains are created, users can transfer...

ProposalHash can be easily duplicated with same target, callData and nativeValue

Lines of code Vulnerability details Impact function executeMultisigProposal address target, bytes calldata callData, uint256 nativeValue external payable onlySigners bytes32 proposalHash = keccak256abi.encodePackedtarget, callData, nativeValue; if !multisigApprovalsproposalHash revert NotApproved...