The distributeRewards
and _distributeRewards
functions lack crucial checks, potentially exposing the contract to unexpected behavior across chains or a Denial of Service (DoS) vulnerability. Specifically, the Chainlink Cross-Chain Interoperability Protocol (CCIP) requires tokens transferred to be supported by the CCIP Token pool. Additionally, the implemented logic assumes that all supported tokens across all chains are the same, which is not the case.
The absence of this check allows for the possibility of distributing rewards in an uncontrolled manner, posing a risk of DoS attacks. Furthermore, the addToken
function, responsible for adding new tokens, fails to verify if the newly added token is supported by the CCIP, introducing a potential avenue for inconsistent behavior.
Missing CCIP Token Support Check in Distribution Functions:
The distributeRewards
and _distributeRewards
functions do not include checks to ensure that the tokens being distributed are supported by the CCIP Token pool. This deviation from CCIP requirements exposes the contract to potential DoS attacks if nonsupported reward token is added,
Expecting the Same Tokens Across All Chains:
The code assumes that all chains support the same tokens, but this might not be true. This oversight could result in unpredictable outcomes when distributing rewards to different chains, each with its own unique (number and type of) token support.
Lack of CCIP Token Support Verification in addToken
Function:
The addToken
function, responsible for adding new tokens, does not verify whether the newly added token is supported by the CCIP. This oversight allows unsupported tokens to be added, potentially leading to inconsistencies in reward distribution.
The absence of essential checks in the contract's reward distribution logic introduces the risk of unexpected behavior across chains. The impact varies based on the configurations of the destination chains. Relying solely on the owner to ensure that only supported tokens are added across all supported chains exposes the project and its users to potential risks. The lack of systematic verification increases the likelihood of inconsistencies, jeopardizing the contract's reliability and the overall integrity of the system.
Manual review
Implement CCIP Token Support Check in Distribution Functions:
Enhance the distributeRewards
and _distributeRewards
functions by incorporating checks to ensure that tokens being distributed are supported by the CCIP Token pool. This involves validating each token against the list returned from calling getSupportedTokens()
in the EVM2EVMOnRamp.sol
contract.
Review and Adjust Logic for Varying Token Support Across Chains:
Review the logic related to token support assumptions across chains and adjust it to accommodate variations in supported tokens on different chains.
Enhance addToken
Function with CCIP Token Support Verification:
Update the addToken
function to include a check ensuring that the newly added token is supported by the CCIP Token pool. This can be achieved by verifying the token against the list obtained from calling getSupportedTokens()
in the CCIP contract.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.