Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fee-On-Transfer Token Will Cause Accounting Issue Within AxelarGasService Contract #157

Closed
code423n4 opened this issue Aug 3, 2022 · 2 comments
Closed

Fee-On-Transfer Token Will Cause Accounting Issue Within AxelarGasService Contract #157

code423n4 opened this issue Aug 3, 2022 · 2 comments
Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L12
https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L35
https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L98

Vulnerability details

The following functions within the AxelarGasService contract accept ERC20 tokens:

If the ERC20 tokens are Fee-On-Transfer Token, it will cause an accounting issue within the AxelarGasService contract as the amount received by the contract is different from the amount emitted within the event.

Proof-of-Concept

POC for payGasForContractCall and payGasForContractCallWithToken are similar to addGas, thus they are omitted for brevity

Consider the AxelarGasService.addGas function. Assume that the gasToken is a Fee-On-Transfer token called XYZ that charges a 5% transfer fee.

If Alice called the addGas function with gasToken set to XYZ and gasFeeAmount set to 100, then the contract will only receive 95 XYZ tokens while an event with gasFeeAmount equal to 100 is emitted.

https://github.com/code-423n4/2022-07-axelar/blob/3729dd4aeff8dc2b8b9c3670a1c792c81fc60e7c/contracts/gas-service/AxelarGasService.sol#L98

function addGas(
    bytes32 txHash,
    uint256 logIndex,
    address gasToken,
    uint256 gasFeeAmount,
    address refundAddress
) external override {
    _safeTransferFrom(gasToken, msg.sender, gasFeeAmount);

    emit GasAdded(txHash, logIndex, gasToken, gasFeeAmount, refundAddress);
}

Impact

This will create a discrepancy between the information in the on-chain events and the actual number of tokens received by the contract.

Axelar's microservice or third-party external services that are listening to the on-chain event will be fed with inaccurate data, thus causing accounting issues within the system.

Recommendation

Ensure that Fee-On-Transfer tokens are not used as gas token within the system.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 3, 2022
code423n4 added a commit that referenced this issue Aug 3, 2022
@code423n4
xiaoming90 issue #157
aa6723b
@re1ro
Copy link
Member

re1ro commented Aug 5, 2022
edited
Loading

Duplicate of #16

@re1ro re1ro marked this as a duplicate of #16 Aug 23, 2022
@re1ro re1ro added the duplicate This issue or pull request already exists label Aug 23, 2022
@re1ro re1ro closed this as completed Aug 23, 2022
@GalloDaSballo
Copy link
Collaborator

Dup of #178

@GalloDaSballo GalloDaSballo added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Sep 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@re1ro @GalloDaSballo @code423n4