MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

L1Sender does not implement any method for withdrawing ETH

falconhoof

Summary

L1Sender does not have any way of recovering ethereum which is refunded to it by the Arbitrum Gateway Router.

Vulnerability Details

Each time L1Sender transacts with L1GatewayRouter via sendDepositToken() function it must send a fee in msg.value. The amount required will be estimated and is variable. Where the user pays too much; the fee will be refunded to the sendng contract; i.e. L1Sender.
However L1Sender does not implement any method to transfer ETH out so funds will get stuck in the contract.

function sendDepositToken(
uint256 gasLimit_,
uint256 maxFeePerGas_,
uint256 maxSubmissionCost_
) external payable onlyDistribution returns (bytes memory) {
DepositTokenConfig storage config = depositTokenConfig;
// Get current stETH balance
uint256 amountUnwrappedToken_ = IERC20(unwrappedDepositToken).balanceOf(address(this));
// Wrap all stETH to wstETH
uint256 amount_ = IWStETH(config.token).wrap(amountUnwrappedToken_);
bytes memory data_ = abi.encode(maxSubmissionCost_, "");
return
IGatewayRouter(config.gateway).outboundTransfer{value: msg.value}(
config.token,
config.receiver,
amount_,
gasLimit_,
maxFeePerGas_,
data_
);
}

Impact

Funds will get stuck in the contract causing the protocol to lose money

Tools Used

Hardhat
Manual Review

Recommendations

Add a function to transfer ETH out of the contract to a trusted address and implement refund functionality in the GatewayRouterMock.sol contract

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.