stake.link

Summary:

In the RESDLTokenBridge contract, the transferRESDL function facilitates the transfer of an reSDL token to a destination chain. However, a vulnerability exists where same-chain transfers are not explicitly checked. If the source chain is specified as the destination chain, the transfer will proceed without reversion.

Vulnerability Details:

1. Unchecked Same-Chain Transfer:

   • The transferRESDL function does not include an explicit check to prevent same-chain transfers. As a result, the subsequent handleOutgoingRESDL call may inadvertently execute state changes intended for cross-chain transfers, leading to unintended behavior.

2. Lock Deletion and Balance Update:

   • In the handleOutgoingRESDL function, the deletion of the lock from the locks mapping, the adjustment of the sender's balance, and the update of effective balances are executed without verifying that the transfer is to a different chain.

3. Potential Transfer to ccipController:

   • In the same-chain transfer scenario, the sdlToken is transferred to the specified _sdlReceiver. However, due to the absence of a same-chain check, this transfer may inadvertently route the token to ccipController.

Impact:

The unchecked same-chain transfer vulnerability introduces the following risks:

• Unintended state changes, including lock deletion and balance adjustments, during same-chain transfers.

• Potential transfer of tokens to ccipController when the source chain is erroneously specified as the destination chain.

• Loss of fees

POC

Same-Chain Transfer Mistake:

1. User Mistake:

   • The user mistakenly specifies the same chain as both the source and destination.

   RESDLTokenBridge.transferRESDL(SepoliaChainID, ReceiverAddress, TokenID);

2. No Same-Chain Check:

   • Currently, there is no check in the transferRESDL function to prevent same-chain transfers.

3. Unintended Execution:

   • The handleOutgoingRESDL function is called internally, expecting a cross-chain transfer.

4. Lock Deletion:

   • The lock associated with TokenID is deleted from the locks mapping.

   delete locks[TokenID].amount;

5. Balance Adjustment:

   • The sender's balance is decreased by 1.

   balances[_sender] -= 1;

6. Effective Balances Update:

   • The effective balances are adjusted: _sender's decreased, ccipController's increased.

   effectiveBalances[_sender] -= totalAmount;

   effectiveBalances[ccipController] += totalAmount;

7. Token Transfer:

   • The sdlToken is transferred to the specified _sdlReceiver.

   sdlToken.safeTransfer(_sdlReceiver, lock.amount);

8. Unintended Result:

   • The intended behavior was for cross-chain transfers, but due to the same-chain mistake, these actions happen within the same chain.

Tools Used:

Manual code review.

Recommendations:

Add Same-Chain Transfer Check:

• Implement a check in the transferRESDL function to explicitly disallow same-chain transfers. This check should prevent the subsequent execution of state-changing operations for same-chain scenarios.