MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Malicious users can abuse the protocol to get refunds in native tokens

vladzaev

Summary

When user want to claim his rewards he should call claim() funct that forward a call to L1Sender contract with incorrect arguments.

Vulnerability Details

Users can calim their rewards via claim() in Distribution contract that forwards a call to L1Sender :

function claim(uint256 poolId_, address user_) external payable poolExists(poolId_) {

...

// Transfer rewards

L1Sender(l1Sender).sendMintMessage{value: msg.value}(user_, pendingRewards_, _msgSender());

emit UserClaimed(poolId_, user_, pendingRewards_);

}

L1Sender contract:

function sendMintMessage(address user_, uint256 amount_, address refundTo_) external payable onlyDistribution {

RewardTokenConfig storage config = rewardTokenConfig;

bytes memory receiverAndSenderAddresses_ = abi.encodePacked(config.receiver, address(this));

bytes memory payload_ = abi.encode(user_, amount_);

ILayerZeroEndpoint(config.gateway).send{value: msg.value}(

config.receiverChainId, // communicator LayerZero chainId

receiverAndSenderAddresses_, // send to this address to the communicator

payload_, // bytes payload

@> payable(refundTo_), // refund address

address(0x0), // future parameter

bytes("") // adapterParams (see "Advanced Features")

);

}

In that case msg.sender which is specified in the claim() is a user itself. In case of any problems with a transaction he will get the refund.

Impact

Malicious users can abuse the protocol by sending tx very often and get refunds for any failed tx.

Tools Used

Manual review

Recommendations

I guess for that case the refund should be made to Distribution contract but not user itself. So you can use address(this) instead of msg.sender.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.