stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`WrappedTokenBridge.sol::recoverTokens` function does not properly refund user token if more than one user mistakenly send token causing loss of token

engrpips

Summary

The WrappedTokenBridge.sol::recoverTokens function does not properly handle the refund of user token causing loss of token

Vulnerability Details

If we have a scenario where user A mistakenly send some amount of a token to the WrappedTokenBridge.sol contract and user B also mistakenly send some amount of the same token and then another user C also mistakenly send some amount of the same token to the contract, at that point any user that comes first to the protocol team to retrieve there token would get all of the tokens in the WrappedTokenBridge.sol making it so the other two users lost their token as whenever they come to claim their token there would be no balance in the WrappedTokenBridge.sol

Impact

Below is a step by step guide to test and confirm the vulnerability
Open the wrapped-token-bridge.test.ts file and paste the below code in the beforeEach block of the test code

// here each we are funding each user with the token they would mistakenly send to the bridge contract
await linkToken.transfer(accounts[1], toEther(10));
await linkToken.transfer(accounts[2], toEther(10));
await linkToken.transfer(accounts[3], toEther(10));
// here each user is approving the bridge token the balance they would mistakenly send to it
await linkToken.connect(signers[1]).approve(bridge.address, 100);
await linkToken.connect(signers[2]).approve(bridge.address, 100);
await linkToken.connect(signers[3]).approve(bridge.address, 100);

Then paste the below test inside of the describe block of the test code

it('recoverTokens does not work properly in a scenario where more than one person mistakenly sends money to the contract', async () => {
// here each user mistakenly send money to the bridge contract
await linkToken.connect(signers[1]).transfer(bridge.address, toEther(10))
await linkToken.connect(signers[2]).transfer(bridge.address, toEther(10))
await linkToken.connect(signers[3]).transfer(bridge.address, toEther(10))
// here user 3 retrieved their token
await bridge.recoverTokens([linkToken.address], accounts[3])
// here we are asserting that the user gets all the balance of Link token the bridge contract instead of what they mistakenly sent
assert.equal(fromEther(await linkToken.balanceOf(accounts[3])), 30)
})

Then run the below code in your terminal

yarn test --grep more than one person mistakenly sends money

On running the code above you should get the below output that shows that indeed the vulnerability was exploited

WrappedTokenBridge
✔ recoverTokens does not work properly in a scenario where more than one person mistakenly sends money to the contract (61ms)
1 passing (5s)

Tools Used

Hardhat Test suite

Recommendations

I know well enough it can really be some extra works to always check how much is mistakenly sent by any user who mistakenly send this contract some token but if the protocol would prefer to keep this functionality then they would really need to have some eventListener that would always listen to an event that is emitted whenever the WrappedTokenBridge.sol receive token and the event details can be used to map the sent amount to each user that mistakenly send the token and then whenever a user wants to retrieve their token this mapping can be use to get the amount sent by them and send them back just that amount instead of all the balance of the contract on the mistakenly sent token.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
engrpips Submitter
over 1 year ago
0kage Lead Judge
over 1 year ago
0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.