Token Loss on Failed Destination Chain Call

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/bridge/SourceBridge.sol#L77

Vulnerability details

Impact

The burnAndCallAxelar function allows users to burn tokens from their account with the intention of executing a cross-chain call. However, the tokens are burned before the cross-chain call is attempted. If the cross-chain call fails on the destination chain for any reason, such as a contract error or network issue, the burned tokens may become unrecoverable. This poses a risk of financial loss for users and a potential lack of trust in the contract's cross-chain functionality.

Proof of Concept

function burnAndCallAxelar(
uint256 amount,
string calldata destinationChain
) external payable whenNotPaused {
// check destinationChain is correct
string memory destContract = destChainToContractAddr[destinationChain];

if (bytes(destContract).length == 0) {
  revert DestinationNotSupported();
}

if (msg.value == 0) {
  revert GasFeeTooLow();
}

// burn amount
TOKEN.burnFrom(msg.sender, amount);

bytes memory payload = abi.encode(VERSION, msg.sender, amount, nonce++);

_payGasAndCallContract(destinationChain, destContract, payload);
}

Exploitation Scenario:

User Initiation: A user initiates a cross-chain transaction using the burnAndCallAxelar function. They specify an amount of tokens to burn, along with the destination chain and contract.

Token Burning: The function first burns the specified amount of tokens from the user's account. This is a crucial step, and the tokens are now removed from the user's balance.

Cross-Chain Call Attempt: After burning the tokens, the function attempts to execute a cross-chain call to the specified destination chain and contract with a payload.

Cross-Chain Call Failure: If, for any reason, the cross-chain call fails on the destination chain (e.g., due to contract errors, network issues, or other unforeseen circumstances), the transaction fails on the destination chain.

Unrecoverable Token Loss: Since the tokens were already burned in the user's account, and the cross-chain call failed, there is no mechanism in place to refund or return the tokens to the user. As a result, the user experiences an unrecoverable token loss.

Tools Used

Manual review

Recommended Mitigation Steps

Implement error handling mechanisms that allow for token redemption in case of a cross-chain call failure. This may involve creating a mechanism to refund or return tokens to the user if the destination chain transaction fails.

Assessed type

Invalid Validation

[c4-pre-sort]

raymondfam marked the issue as duplicate of #162

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as not a duplicate

[c4-pre-sort]

raymondfam marked the issue as duplicate of #50

[c4-judge]

kirk-baird marked the issue as unsatisfactory:
Invalid