Incoming messages from Centrifuge chain to AxelarRouter is broken #212
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-537
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/gateway/routers/axelar/Router.sol#L44
Vulnerability details
Bug Description
The
AxelarRouter
is an important smart contract that operates as follows:Gateway
smart contract encodes outgoing messages and sends them to theAxelarRouter
using the AxelarRouter.send function. TheAxelarRouter
then forwards the message to thecentrifugeGatewayPrecompileAddress
on the Centrifuge chain through Axelar's General Message Passing mechanism.AxelarRouter
smart contract receives incoming messages through the AxelarRouter.execute function, which is processed by Centrifuge using Axelar's General Message Passing.In the
AxelarRouter
smart contract, theAxelarRouter.execute
function has a modifier that checks whethermsg.sender
is anAxelarGateway
smart contract. However,msg.sender
can never be anAxelarGateway
address.Proof-of-Concept
The process unfolds as follows:
AxelarRouter --> AxelarGateway --> CentrifugeGateway --> AxelarGateway --> AxelarRouter
An example to illustrate this issue:
CentrifugeGateway
smart contract on the Centrifuge chain through Axelar's General Message Passing, such asLiquidityPool.requestDeposit
function.CentrifugeGateway
forwards the message to theAxelarGateway
on the Centrifuge chain.AxelarGateway
on the destination chain.AxelarRouter
smart contract. However, theAxelarGateway
smart contract lacks the logic to invoke theAxelarRouter.execute
function on AxelarRouter smart contract.Note
: Centrifuge bot pays for all executing functions automatically.As a result, all incoming messages from the
CentrifugeGateway
will not be executed. You can verify this by inspecting theAxelarGateway
smart contract.You can also review AxelarScan (INTERCHAIN TRANSACTIONS) at this link. Specifically, open any transaction with the status
executed
and observe that there is no call fromAxelarGateway
to theexecute
function in any smart contract.In simple terms, the approval of a contract call occurs through
AxelarGateway
. After that, when calling theexecute
function in theAxelarRouter
smart contract, the validateContractCall is checked. However,msg.sender
can never be anAxelarGateway
address.Impact
All incoming messages from Centrifuge chain to AxelarRouter smart contract will fail.
Tools Used
Manual
Recommended Mitigation Steps
To solve this issue, you need to remove the require:
After that, anyone will be able to call the
AxelarRouter.execute
function. It is protected by avalidateContractCall
check that only allows execution if this function returns true and theAxelarGateway
marks the message as executed so that the contract call is not executed twice.Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: