stake.link

Summary

The protocol assumes that some tokens like sdlToken, linkToken or wstLink are supported to transfer via chainlink CCIP

Vulnerability Details

Currently, chainlink CCIP supports the following tokens as we can see here:

Ethereum -> Arbitrum lane: NUON, suUSD, suETH, suBTC, DFX, HYPE

Ethereum -> Optimism lane: None

Arbitrum -> Ethereum lane: NUON, suUSD, suETH, suBTC, DFX, HYPE

Arbitrum -> Optimism lane: None

Optimism -> Ethereum lane: None

Optimism -> Arbitrum lane: None

As of the time for the audit contest the tokens that the protocol wants to transfer between chains are not supported and the protocol would not be able to work properly when bridging or distributing rewards between chains.

A relevant aspect to keep in mind is that Ethereum -> Arbitrum lane is different from Arbitrum -> Ethereum. For the protocol to work properly all the transfered tokens must be whitelisted in all lanes because if these are only supported in one lane, when a user would like to bridge his reSDL token will not be able because the ccip will not have registered the token to be transfered back.

Finally, an other topic to keep in mind is the token architecture that the ccip supports. Currently ccip has 2 supported token architectures and 1 on the roadmap. We can see these architectures here.

1. Burn & Mint
   Tokens are burned on the source chain and minted natively on the destination chain

2. Lock & Mint (Reverse: Burn & Unlock)
   Tokens are locked on the source chain (in Token Pools), and wrapped/synthetic/derivative tokens that represent the locked tokens are minted on the destination chain.

3. Lock & Unlock [ON THE ROADMAP]
   Transferred tokens are locked on the source chain (in Token Pools) and unlocked from Token Pools on the destination chain. This feature is not live yet.

Impact

High, if tokens are not supported the protocol will not work properly

Tools Used

Manual review

Recommendations

Request chainlink to whitelist the tokens for the ccip or send tokens virtually via the message data field