Referring to the CCIP best practices: https://docs.chain.link/ccip/best-practices and CCIP Transfer Tokens With Data example: https://docs.chain.link/ccip/tutorials/programmable-token-transfers
The WrappedTokenBridge
contract is lacking the following security mechanisms:
Verify destination chain.
Verify source chain and sender: An attacker can impersonate a CCIP message on any chain along with an arbitrary amount of virtual tokens. The destination chain will receive the message and transfer real tokens to the attacker.
The _transferTokens()
function does not check the destination chain, allowing users to unintentionally transfer tokens to the wrong chain and lose them.
The _ccipReceive()
function lacks necessary verifications: whether the CCIP message is from a trusted chain and if the sender is the address of the WrappedTokenBridge
from the source chain or not.
Consider adding extraArgs
and setting a gasLimit
.
The _transferTokens()
function should check whether the given destinationChainSelector
is allowlisted.
The _ccipReceive()
function should verify whether the source chain and the sender are allowlisted.
Below is an example of verifying the sender from the source chain within the SDLPoolCCIPControllerPrimary
contract:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.