AxelarRouter.execute will always revert causing all messages to not be processed #442
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-537
low quality report
This report is of especially low quality
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
centrifuge/blob/main/src/gateway/routers/axelar/Router.sol#L44
Vulnerability details
Impact
AxelarRouter.execute has the onlyCentrifugeChainOrigin modifier, which assumes
msg.sender
is axelarGateway. This is wrong because axelarGateway never does this.msg.sender
is the relayer from Axelar. Therefore, this function will revert due to the check in onlyCentrifugeChainOrigin, which has two impacts:Proof of Concept
According to axelar's docs, we can understand that cross-chain messages need to go through 3 phrases (6 steps). Let's see how messages are processed:
At the source chain
callContract
(orcallContractWithToken
) function on the Axelar Gateway contract to initiate a call. Once the call is initiated, the user can see its status at [https://axelarscan.io/gmp/txHash] or programmatically track it via the AxelarJS SDK.At the Axelar network
At the destination chain
In Axelar Gateway, each message will calculated as a hash value via
keccak256
, which represents the stored slot. If the value of this slot is true, it means that the message can be executed. The 5th step is to set the slot corresponding to the message to true. Next, the executor service from Axelar (commonly known as relayer) calls theexecute
method of the target contract of the message. In this case, it's Router.execute.So, at L44, tx will revert since
msg.sender
is not axelarGateway.L80-83, This implementation method has guaranteed the validity of the message.
axelarGateway.validateContractCall(commandId, sourceChain, sourceAddress, payloadHash)
will internally check whether the slot corresponding to the message is true. If it is true, set it to false and return the original bool.Tools Used
Manual Review
Recommended Mitigation Steps
Remove the check at L44.
Assessed type
DoS
The text was updated successfully, but these errors were encountered: