MorpheusAI

MorpheusAI
Foundry
22,500 USDC
View results
Submission Details
Severity: high
Invalid

Ethers will be stuck in `GatewayRouterMock` since there is no way to withdraw ethers from it while ethers will be transferred to it using it's payable function.

Vulnerability Details

GatewayRouterMock::outboundTransfer is a payable function. And it is called in L1Sender::sendDepositToken function and ethers are send to it by calling that outboundTransfer
function. But they are never transferred to any recipient for that they are coming and their params just ignored. Also there is not way to withdraw ethers from this GatewayRouterMock contract so ethers will be stuck here forever.

Code Snippet

contracts/mock/GatewayRouterMock.sol#L6-L18

6: contract GatewayRouterMock {
function outboundTransfer(
address _token,
address _to,
uint256 _amount,
uint256 _maxGas,
uint256 _gasPriceBid,
bytes calldata _data
) external payable returns (bytes memory) {
IERC20(_token).transferFrom(msg.sender, _to, _amount);
return abi.encode(_token, _to, _amount, _maxGas, _gasPriceBid, _data);
}

contracts/L1Sender.sol#L114-L121

114: IGatewayRouter(config.gateway).outboundTransfer{value: msg.value}(
config.token,
config.receiver,
amount_,
gasLimit_,
maxFeePerGas_,
data_
);

Impact

Ethers will be stuck in GatewayRouterMock contract. And will also be not sent to it's passed receiver.

Tools Used

Manual Review

Recommended Mitigation

Send the ethers to it's receiver for that they are coming. And also add a withdraw function controlled by owner in the contract GatewayRouterMock so he can withdraw stuck ethers.

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.