CoreBranchRouter.executeNoSettlement() fails to refund the unconsumed gas after completion of execution
#345
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
primary issue
Highest quality submission among a set of duplicates
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
c4-submissions
added
2 (Med Risk)
|
0xA5DF marked the issue as sufficient quality report |
c4-pre-sort
added
sufficient quality report
|
0xA5DF marked the issue as primary issue |
|
0xLightt (sponsor) disputed |
c4-sponsor
added
the
sponsor disputed
|
Disputed on what grounds, please? |
|
This would require API misuse by governance. The governance contract would be sending extra native tokens to be used for further layerzero/cross-chain calls when there are none expected. The gas parameters passed should be something like this |
c4-judge
added
the
unsatisfactory
|
alcueca marked the issue as unsatisfactory: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/main/src/CoreBranchRouter.sol#L86-L149
https://github.com/code-423n4/2023-09-maia/blob/main/src/BranchBridgeAgentExecutor.sol#L53-L56
https://github.com/code-423n4/2023-09-maia/blob/main/src/MulticallRootRouter.sol#L142-L149
https://github.com/code-423n4/2023-09-maia/blob/main/src/RootBridgeAgentExecutor.sol#L72
https://github.com/code-423n4/2023-09-maia/blob/main/src/MulticallRootRouter.sol#L234-L241
https://github.com/code-423n4/2023-09-maia/blob/main/src/RootBridgeAgentExecutor.sol#L156
Vulnerability details
CoreBranchRouter.executeNoSettlement()is used to execute branch management functions such as addGlobalToken, addBridgeAgent, manageStrategyToken, etc. It receives native tokens fromBranchBridgeAgentExecutorfor gas to perform subsequent callout to root chain. In the case of addGlobalToken and addBridgeAgent, the callout to root chain will take care of the refund of native tokens as LayerZeroEndpoint(lzEndpointAddress).send() will refund the excess minus fees.However, for management functions that does not have subsequent callout like manageStrategyToken, removeBranchBridgeAgent, the native tokens are not refunded by
CoreBranchRouterafter successful execution. The unconsumed native tokens will be left stuck in theCoreBranchRoutercontract.Note that the issue is possible as
CoreRootRouterallows the passing in ofGasParamsto allow transfer of native tokens for remote execution gas. And this issue occurs in the test suite as shown in the POC below.The issue is also present in
ArbitrumCoreBranchRouter.executeNoSettlement(),MulticallRootRouter.execute(),MulticallRootRouter.executeSigned(). These functions accept native tokens for remote execution but has specific cases that does not perform subsequent callouts.https://github.com/code-423n4/2023-09-maia/blob/main/src/BranchBridgeAgentExecutor.sol#L53-L56
Impact
The unconsumed gas will be left stuck within the router contracts without any mechanism to retrieve them.
Proof of Concept
Add the console.log as shown below to existing
testAddStrategyToken()in RootTest.t.sol#L747. It will show that theCoreBranchRouterwill be left with the unconsumed native tokens.Recommended Mitigation Steps
Implement a refund by transfering the native tokens that was received from msg.value.
Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: