[H-02] Incorrect recipient inside THORChain_Router::_transferOutAndCallV5
, leading to sending gas asset to the payload target, not the recipient
#155
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
edited-by-warden
🤖_12_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/main/ethereum/contracts/THORChain_Router.sol#L324
Vulnerability details
Impact
Inside
THORChain_Router::_transferOutAndCallV5
when transferring the gas asset and the call to theaggregationPayload.target
fails, the gas asset according to the comment next to the incorrect line, documentation andTHORChain_Router::_transferOutV5
, should be sent to the recipient, not to theaggregationPayload.target
The recipient will never receive gas asset and the funds of the vault will be lost
Proof of Concept
Please add a test to an existing file, so add a new test file called for example
6_Incorrect_Recipient.js
and paste the code from below.The code asserts that USER1 tries to swap ETH for tokens and send them to USER2 but the
THORChain_Aggregator::swapOutV5
fails and the Aggregator receives the refund, not USER2 as expected.Tools Used
Manual Review
Recommended Mitigation Steps
Change the recipient to the correct one
Inside
THORChain_Router::_transferOutAndCallV5
change:Assessed type
ETH-Transfer
The text was updated successfully, but these errors were encountered: