CoreBranchRouter.executeNoSettlement()
fails to refund the unconsumed gas after completion of execution
#345
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
primary issue
Highest quality submission among a set of duplicates
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/main/src/CoreBranchRouter.sol#L86-L149
https://github.com/code-423n4/2023-09-maia/blob/main/src/BranchBridgeAgentExecutor.sol#L53-L56
https://github.com/code-423n4/2023-09-maia/blob/main/src/MulticallRootRouter.sol#L142-L149
https://github.com/code-423n4/2023-09-maia/blob/main/src/RootBridgeAgentExecutor.sol#L72
https://github.com/code-423n4/2023-09-maia/blob/main/src/MulticallRootRouter.sol#L234-L241
https://github.com/code-423n4/2023-09-maia/blob/main/src/RootBridgeAgentExecutor.sol#L156
Vulnerability details
CoreBranchRouter.executeNoSettlement()
is used to execute branch management functions such as addGlobalToken, addBridgeAgent, manageStrategyToken, etc. It receives native tokens fromBranchBridgeAgentExecutor
for gas to perform subsequent callout to root chain. In the case of addGlobalToken and addBridgeAgent, the callout to root chain will take care of the refund of native tokens as LayerZeroEndpoint(lzEndpointAddress).send() will refund the excess minus fees.However, for management functions that does not have subsequent callout like manageStrategyToken, removeBranchBridgeAgent, the native tokens are not refunded by
CoreBranchRouter
after successful execution. The unconsumed native tokens will be left stuck in theCoreBranchRouter
contract.Note that the issue is possible as
CoreRootRouter
allows the passing in ofGasParams
to allow transfer of native tokens for remote execution gas. And this issue occurs in the test suite as shown in the POC below.The issue is also present in
ArbitrumCoreBranchRouter.executeNoSettlement()
,MulticallRootRouter.execute()
,MulticallRootRouter.executeSigned()
. These functions accept native tokens for remote execution but has specific cases that does not perform subsequent callouts.https://github.com/code-423n4/2023-09-maia/blob/main/src/BranchBridgeAgentExecutor.sol#L53-L56
Impact
The unconsumed gas will be left stuck within the router contracts without any mechanism to retrieve them.
Proof of Concept
Add the console.log as shown below to existing
testAddStrategyToken()
in RootTest.t.sol#L747. It will show that theCoreBranchRouter
will be left with the unconsumed native tokens.Recommended Mitigation Steps
Implement a refund by transfering the native tokens that was received from msg.value.
Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: