Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QA Report #16

Open
code423n4 opened this issue Jul 31, 2022 · 2 comments
Open

QA Report #16

code423n4 opened this issue Jul 31, 2022 · 2 comments
Labels
bug Something isn't working edited-by-warden QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

code423n4 commented Jul 31, 2022

1 Does not validate the input fee parameter

Some fee parameters of functions are not checked for invalid values. Validate the parameters:

Code instances:

    AxelarGasService.payGasForContractCallWithToken (gasFeeAmount)
    AxelarGasService.payGasForContractCall (gasFeeAmount)
    AxelarGasService.addGas (gasFeeAmount)

2 safeApprove of openZeppelin is deprecated

You use safeApprove of openZeppelin although it's deprecated.
(see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38)
You should change it to increase/decrease Allowance as OpenZeppilin says.

Code instances:

    Deprecated safeApprove in AxelarDepositService.sol line 29: IERC20(wrappedTokenAddress).approve(gateway, amount);
    Deprecated safeApprove in ReceiverImplementation.sol line 63: IERC20(wrappedTokenAddress).approve(gateway, amount);
    Deprecated safeApprove in AxelarGateway.sol line 306: commandSelector = AxelarGateway.approveContractCallWithMint.selector;
    Deprecated safeApprove in AxelarGateway.sol line 304: commandSelector = AxelarGateway.approveContractCall.selector;
    Deprecated safeApprove in ReceiverImplementation.sol line 37: IERC20(tokenAddress).approve(gateway, amount);

3 Not verified input

external / public functions parameters should be validated to make sure the address is not 0.
Otherwise if not given the right input it can mistakenly lead to loss of user funds.

Code instances:

    ReceiverImplementation.sol.receiveAndUnwrapNative refundAddress
    ERC20Permit.sol.permit issuer
    AxelarDepositService.sol.refundTokenDeposit refundAddress

4 Solidity compiler versions mismatch

The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.

Code instance:

5 Not verified owner

    owner param should be validated to make sure the owner address is not address(0).
    Otherwise if not given the right input all only owner accessible functions will be unaccessible.

Code instances:

    XC20Sample.sol.transfer_ownership owner_
    Proxy.sol.init newOwner

6 Named return issue

Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing.
Furthermore, removing either the actual return or the named return will save gas.

Code instance:

    ECDSA.sol, recover

7 Two Steps Verification before Transferring Ownership

The following contracts have a function that allows them an admin to change it to a different address. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked.
It is important to have two steps admin change where the first is announcing a pending new admin and the new address should then claim its ownership.
A similar issue was reported in a previous contest and was assigned a severity of medium: code-423n4/2021-06-realitycards-findings#105

Code instances:

    IOwnable.sol
    XC20Sample.sol
    Upgradable.sol
    Ownable.sol
    AdminMultisigBase.sol
    LocalAsset.sol

8 Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    IAxelarForecallable.sol: function _checkForecallWithToken parameter sourceChain isn't used. (_checkForecallWithToken is internal)
    IAxelarForecallable.sol: function _checkForecallWithToken parameter tokenSymbol isn't used. (_checkForecallWithToken is internal)
    TokenDeployer.sol: function deployToken parameter symbol isn't used. (deployToken is external)
    Upgradable.sol: function _setup parameter data isn't used. (_setup is internal)
    Proxy.sol: function setup parameter data isn't used. (setup is public)
    AxelarDepositService.sol: function refundTokenDeposit parameter salt isn't used. (refundTokenDeposit is external)
    IAxelarForecallable.sol: function _executeWithToken parameter tokenSymbol isn't used. (_executeWithToken is internal)
    AxelarDepositService.sol: function refundNativeUnwrap parameter salt isn't used. (refundNativeUnwrap is external)
    IAxelarExecutable.sol: function _executeWithToken parameter sourceAddress isn't used. (_executeWithToken is internal)
    IAxelarForecallable.sol: function _checkForecallWithToken parameter sourceAddress isn't used. (_checkForecallWithToken is internal)
    AxelarDepositService.sol: function nativeUnwrap parameter salt isn't used. (nativeUnwrap is external)
    IAxelarForecallable.sol: function _checkForecall parameter sourceAddress isn't used. (_checkForecall is internal)
    IAxelarExecutable.sol: function _executeWithToken parameter tokenSymbol isn't used. (_executeWithToken is internal)
    IAxelarExecutable.sol: function _execute parameter sourceChain isn't used. (_execute is internal)
    IAxelarForecallable.sol: function _execute parameter sourceAddress isn't used. (_execute is internal)
    TokenDeployer.sol: function deployToken parameter name isn't used. (deployToken is external)
    IAxelarForecallable.sol: function _executeWithToken parameter sourceAddress isn't used. (_executeWithToken is internal)
    IAxelarForecallable.sol: function _executeWithToken parameter amount isn't used. (_executeWithToken is internal)
    AxelarDepositService.sol: function sendNativeDeposit parameter salt isn't used. (sendNativeDeposit is external)
    IAxelarForecallable.sol: function _checkForecallWithToken parameter amount isn't used. (_checkForecallWithToken is internal)
    TokenDeployer.sol: function deployToken parameter cap isn't used. (deployToken is external)
    IAxelarForecallable.sol: function _checkForecall parameter forecaller isn't used. (_checkForecall is internal)
    IAxelarForecallable.sol: function _checkForecall parameter payload isn't used. (_checkForecall is internal)
    AxelarGatewayProxy.sol: function setup parameter params isn't used. (setup is external)
    TokenDeployer.sol: function deployToken parameter salt isn't used. (deployToken is external)
    ERC20.sol: function _beforeTokenTransfer parameter from isn't used. (_beforeTokenTransfer is internal)
    IAxelarForecallable.sol: function _checkForecallWithToken parameter payload isn't used. (_checkForecallWithToken is internal)
    IAxelarForecallable.sol: function _execute parameter sourceChain isn't used. (_execute is internal)
    IAxelarExecutable.sol: function _executeWithToken parameter amount isn't used. (_executeWithToken is internal)
    IAxelarExecutable.sol: function _execute parameter sourceAddress isn't used. (_execute is internal)
    ERC20.sol: function _beforeTokenTransfer parameter amount isn't used. (_beforeTokenTransfer is internal)
    IAxelarExecutable.sol: function _executeWithToken parameter sourceChain isn't used. (_executeWithToken is internal)
    TokenDeployer.sol: function deployToken parameter decimals isn't used. (deployToken is external)
    IAxelarExecutable.sol: function _executeWithToken parameter payload isn't used. (_executeWithToken is internal)
    ERC20.sol: function _beforeTokenTransfer parameter to isn't used. (_beforeTokenTransfer is internal)
    IAxelarExecutable.sol: function _execute parameter payload isn't used. (_execute is internal)
    IAxelarForecallable.sol: function _executeWithToken parameter sourceChain isn't used. (_executeWithToken is internal)
    IAxelarForecallable.sol: function _executeWithToken parameter payload isn't used. (_executeWithToken is internal)
    AxelarDepositService.sol: function sendTokenDeposit parameter salt isn't used. (sendTokenDeposit is external)
    IAxelarForecallable.sol: function _execute parameter payload isn't used. (_execute is internal)
    IAxelarForecallable.sol: function _checkForecall parameter sourceChain isn't used. (_checkForecall is internal)
    IAxelarForecallable.sol: function _checkForecallWithToken parameter forecaller isn't used. (_checkForecallWithToken is internal)

9 Check transfer receiver is not 0 to avoid burned money

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Code instances:

    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L189
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L65
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/gas-service/AxelarGasService.sol#L144
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/gas-service/AxelarGasService.sol#L128
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/interfaces/IAxelarForecallable.sol#L81
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/gas-service/AxelarGasService.sol#L46
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/deposit-service/ReceiverImplementation.sol#L51
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L65
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L210
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L170
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/XC20Wrapper.sol#L87
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L108
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L189
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/deposit-service/ReceiverImplementation.sol#L23
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/interfaces/IAxelarForecallable.sol#L58
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/gas-service/AxelarGasService.sol#L21
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L108
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/XC20Wrapper.sol#L76
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/XC20Wrapper.sol#L63
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/gas-service/AxelarGasService.sol#L105
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L210
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L170
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/XC20Wrapper.sol#L125
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/deposit-service/ReceiverImplementation.sol#L71

10 Missing commenting

    The following functions are missing commenting as describe below:

Code instances:

    Proxy.sol, init (external), parameters implementationAddress, newOwner, params not commented
    AxelarGatewayProxy.sol, setup (external), parameter params not commented
    Proxy.sol, setup (public), parameter data not commented

11 Add a timelock

To give more trust to users: functions that set key/critical variables should be put behind a timelock.

Code instances:

    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/Proxy.sol#L38
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/XC20Wrapper.sol#L44
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/AxelarGateway.sol#L204
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/util/Upgradable.sol#L64
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/Upgradable.sol#L66
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/AxelarGateway.sol#L241
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/util/Proxy.sol#L64
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/AxelarGatewayProxy.sol#L26

12 Must approve 0 first

Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value.
They must first be approved by zero and then the actual allowance must be approved.

Code instances:

approve without approving 0 first ReceiverImplementation.sol, 63, IERC20(wrappedTokenAddress).approve(gateway, amount);

approve without approving 0 first AxelarDepositService.sol, 29, IERC20(wrappedTokenAddress).approve(gateway, amount);

approve without approving 0 first ReceiverImplementation.sol, 37, IERC20(tokenAddress).approve(gateway, amount);

13 Two arrays length mismatch

The functions below fail to perform input validation on arrays to verify the lengths match.
A mismatch could lead to an exception or undefined behavior.
Consider making this a medium risk please.

    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/auth/AxelarAuthWeighted.sol#L86 _validateSignatures ['operators', 'weights', 'signatures']

14 Override function but with different argument location

Code instance:

AxelarGasService.sol.payGasForContractCallWithToken inherent IAxelarGasService.sol.payGasForContractCallWithToken but the parameters does not match
https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/interfaces/IAxelarGasService.sol#L71

15 Tokens with fee on transfer are not supported

There are ERC20 tokens that charge fee for every transfer() / transferFrom().

Vault.sol#addValue() assumes that the received amount is the same as the transfer amount,
and uses it to calculate attributions, balance amounts, etc.
But, the actual transferred amount can be lower for those tokens.
Therefore it's recommended to use the balance change before and after the transfer instead of the amount.
This way you also support the tokens with transfer fee - that are popular.

Code instances:

    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L189
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L189
    https://github.com/code-423n4/2022-07-axelar/tree/main/contracts/ERC20.sol#L170
    https://github.com/code-423n4/2022-07-axelar/tree/main/xc20/contracts/ERC20.sol#L170

16 approve return value is ignored

Some tokens don't correctly implement the EIP20 standard and their approve function returns void instead of a success boolean.
Calling these functions with the correct EIP20 function signatures will always revert.
Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the mentioned contracts as they revert the transaction because of the missing return value.
We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handle the return value check as well as non-standard-compliant tokens.
The list of occurrences in format (solidity file, line number, actual line)

Code instances:

AxelarDepositService.sol, 29, IERC20(wrappedTokenAddress).approve(gateway, amount);

ReceiverImplementation.sol, 63, IERC20(wrappedTokenAddress).approve(gateway, amount);

ReceiverImplementation.sol, 37, IERC20(tokenAddress).approve(gateway, amount);

17 transfer return value of a general ERC20 is ignored

Need to use safeTransfer instead of transfer. As there are popular tokens, such as USDT that transfer/trasnferFrom method doesn’t return anything. The transfer return value has to be checked (as there are some other tokens that returns false instead revert), that means you must

  1. Check the transfer return value
    Another popular possibility is to add a whiteList.
    Those are the appearances (solidity file, line number, actual line):

Code instance:

    ReceiverImplementation.sol, 86 (receiveAndUnwrapNative), recipient.transfer(amount);
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Jul 31, 2022
code423n4 added a commit that referenced this issue Jul 31, 2022
@re1ro
Copy link
Member

re1ro commented Aug 5, 2022

1

Yup. Good spot

2

Yup. Dup #3

3

Not applicable. We allow 0 for refund address by design

4

Not applicable. Our interfaces allow more broad solidity version, so they can be used in other project. Our contracts have fixed solidity version.

5

Good spot.

6

Good spot.

7

Good spot.

8

Not applicable. Those virtual functions are meant to be overridden by inheriting contracts

9

Ack

10

Ack

11

Not applicable by design

12

Yup. Dup of #3

13

Not applicable. Lengths are checked in _transferOperatorship

14

Override function but with different argument location

Good spot

15

Tokens with fee on transfer are not supported

Good spot

16

approve return value is ignored

Good spot

17

Not applicable. Those are native ether transfers.

@GalloDaSballo
Copy link
Collaborator

GalloDaSballo commented Sep 4, 2022

1 Does not validate the input fee parameter

NC

2 safeApprove of openZeppelin is deprecated

Disputed as usage is fine

## 3 Not verified input
L

4 Solidity compiler versions mismatch

NC

5 Not verified owner

See 3

## 6 Named return issue
R

7 Two Steps Verification before Transferring Ownership

NC

8 Never used parameters

Disputed as it's all interfaces

13 Two arrays length mismatch

NC

16 approve return value is ignored

L

FeeOnTransfer

L

Skipped the ones I disagree with / are redundant

3L 1R 4NC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working edited-by-warden QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Development

No branches or pull requests

3 participants