stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unchecked _destinationChainSelector can cause users to lose funds

funkornaut

Summary

Within the RESDLTokenBridge contract the function transferRESDL does not check if the _destinationChainSelector is a valid chain. If a user were to use this function to transfer an RESDL token within the chain they are currently on they will lose the funds associated with that RESDL token.

Vulnerability Details

The flow from calling this function eventually leads to SDLPoolPrimary:handleOutgoingRESDL() where balances are updated and SDL tokens are transferred

function handleOutgoingRESDL(
address _sender,
uint256 _lockId,
address _sdlReceiver
)
external
onlyCCIPController
onlyLockOwner(_lockId, _sender)
updateRewards(_sender)
updateRewards(ccipController)
returns (Lock memory)
{
Lock memory lock = locks[_lockId];
delete locks[_lockId].amount;
delete lockOwners[_lockId];
balances[_sender] -= 1;
uint256 totalAmount = lock.amount + lock.boostAmount;
effectiveBalances[_sender] -= totalAmount;
effectiveBalances[ccipController] += totalAmount;
sdlToken.safeTransfer(_sdlReceiver, lock.amount);
emit OutgoingRESDL(_sender, _lockId);
return lock;
}

Impact

This leads to inaccurate accounting. The balance of the ccipController is artificially inflated as no tokens should be moved across chains. The balance of the sender should be decreased by the amount and the balance of the target address the user wants to send to should be increased.

Tools Used

Manual Review

Recommendations

Validate that the _destinationChainSelector is appropriate and not of the current chain.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.