Avoid `payable(address).transfer` #186

code423n4 · 2022-08-03T16:56:06Z

Lines of code

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L22-L23
https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L51-L52
https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L71-L72
https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/ReceiverImplementation.sol#L84-L86
https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/gas-service/AxelarGasService.sol#L128-L129
https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/gas-service/AxelarGasService.sol#L144-L145

Vulnerability details

The Axelar contracts use <address payable>.transfer to perform native token transfers:

ReceiverImplementation#receiveAndSendToken:

        // Always refunding native otherwise it's sent on DepositReceiver self destruction
        if (address(this).balance > 0) refundAddress.transfer(address(this).balance);

ReceiverImplementation#receiveAndSendNative:

            if (address(this).balance > 0) refundAddress.transfer(address(this).balance);

ReceiverImplementation#receiveAndUnwrapNative L#71:

        if (address(this).balance > 0) refundAddress.transfer(address(this).balance);

ReceiverImplementation#receiveAndUnwrapNative L#84:

        // Unwrapping the token into native currency and sending it to the recipient
        IWETH9(wrappedTokenAddress).withdraw(amount);
        recipient.transfer(amount);

AxelarGasService#collectFees:

                if (amount > 0) receiver.transfer(amount);

AxelarGasService#refund:

            receiver.transfer(amount);

However, transfer forwards a fixed stipend of 2300 gas that may be insufficient for some smart contract recipients, and could potentially revert in the future if gas costs change. (See the Consensys Diligence article here).

Impact: Some refund recipients and receivers, especially custom contracts or smart contract wallets, may be unable to receive native token transfers, breaking composability of the Axelar protocol.

Suggestion: Use <address payable>.call to perform native token transfers. However, note that forwarding unlimited gas introduces a potential vector for re-entrancy.

The text was updated successfully, but these errors were encountered:

GalloDaSballo · 2022-08-03T21:21:27Z

See #203

re1ro · 2022-08-23T00:34:16Z

Duplicate of #4

code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 3, 2022

code423n4 added a commit that referenced this issue Aug 3, 2022

horsefacts issue #186

323b112

re1ro marked this as a duplicate of #4 Aug 23, 2022

re1ro closed this as completed Aug 23, 2022

re1ro added the duplicate This issue or pull request already exists label Aug 23, 2022

GalloDaSballo added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Aug 28, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Avoid `payable(address).transfer` #186

Avoid `payable(address).transfer` #186

code423n4 commented Aug 3, 2022

GalloDaSballo commented Aug 3, 2022

re1ro commented Aug 23, 2022

Avoid payable(address).transfer #186

Avoid payable(address).transfer #186

Comments

code423n4 commented Aug 3, 2022

Lines of code

Vulnerability details

GalloDaSballo commented Aug 3, 2022

re1ro commented Aug 23, 2022

Avoid `payable(address).transfer` #186

Avoid `payable(address).transfer` #186