MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack Of implementation of arbritum gateway practices, may lead to failed cross chain operations and loss of funds

inzinko

Summary

When the sendDepositFunction is called it tries to bridge using arbritum cross chain gateway router, but the issue is that the way the gas parameters are set, may lead to failed transactions and loss of funds paid for gas. Becuase arbitrum as a very unique architecture and requires more computational resources developers are advised to make sure that the amount of gas they send is enough to carry out the operations.

Vulnerability Details

Before explaning the details lets understand some terms

L2 Transaction Gas Costs: This is the cost of executing the transaction on L2, it can be estimated as below
gasLimit * maxFeePerGas
L2 Transaction Submission Costs: This is the cost of submitting the transaction to L2, it is a fee sent on L1 to cover the resources used by the L2 network to inculde your L1 tx in L2

Now lets look at the sendDepositTokens function to understand whats actually going on

function sendDepositToken(

uint256 gasLimit_,

uint256 maxFeePerGas_,

uint256 maxSubmissionCost_

) external payable onlyDistribution returns (bytes memory) {

DepositTokenConfig storage config = depositTokenConfig;

// Get current stETH balance

uint256 amountUnwrappedToken_ = IERC20(unwrappedDepositToken).balanceOf(address(this));

// Wrap all stETH to wstETH

uint256 amount_ = IWStETH(config.token).wrap(amountUnwrappedToken_);

bytes memory data_ = abi.encode(maxSubmissionCost_, "");

return

IGatewayRouter(config.gateway).outboundTransfer{value: msg.value}(

config.token,

config.receiver,

amount_,

gasLimit_,

maxFeePerGas_,

data_

);

}

We notice all parameter are set but no additional checks to make sure that the parameters will make sure the transaction about to be sent will be completed

When we continue with our terms, we now calculate the total amount required,

totalCost = gasLimit * maxFeePerGas + _maxSubmissionCost

This totalCost variable should be checked to ensure that the msg.value passed to the function is greater than what the total cost is, this is what the arbitrum considers great pratices when using the gateway router contract.

Because _maxSubmissionCost is based on the current conditions on the volatie and unpreditable L1 and L2 chains, that check above is very important to avoid failed transactions

Note: This Report considers the probability that the gas parameter passed will not be enough to cover the transaction cost low, the impact for not including this check is very high and leads to loss of funds. Also checking the msg.value is considered best practices

Impact

Loss of funds and Failed Operations as Gas used to perform crosschain operations are lost completely.

Tools Used

Manual Review

Recommendations

Before Passing the Gas Parameter the total cost should be calculated and a require statement should be implemented to ensure that the msg.value is greater than the cost to complete the operations.

uint256 expectedEth = _maxSubmissionCost + (gasLimit * maxFeePerGAs);

require(_maxSubmissionCost > 0, "NO_SUBMISSION_COST");

require(msg.value > expectedEth, "WRONG_ETH_VALUE");

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.