Boost _ IDEX 34494 - [Smart Contract - High] Tokens deposit in ExchangeStargateVAdapterlzCompose is
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on Tue Aug 13 2024 23:08:39 GMT-0400 (Atlantic Standard Time) by @Paludo0x for
Report ID: #34494
Report type: Smart Contract
Report severity: High
Target: https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/bridge-adapters/ExchangeStargateV2Adapter.sol
Impacts:
Temporary freezing of funds
In ExchangeStargateV2Adapter::lzCompose()
the IExchange(custodian.exchange()).deposit();
function is called, if this is disabled for any reason the deposit will fail.
The tokens are bridged from L1 to L2 by means of Stargate protocol.
In order to transfer the tokens to the final contract the function lzCompose
shall be implemented.
This is the implementation of the ExchangeStargateV2Adapter
contract:
The call to deposit
function is not inside a try/catch block as it is usual when tokens are transferred via a token/messagge bridge layer.
An example of implementation is reported in Stargate docs. https://stargateprotocol.gitbook.io/stargate/v/v2-developer-docs/integrate-with-stargate/composability#receive-1
The suggestion is to implement the catch
block with a transfer to the destination wallet or to a permissioned wallet with transfering functionality implemented.
The impact is that the funds can be stucked if the exchange deposits are disabled permanently for any reason, even if LayerZero and Stargate implements functionalities to retry sending a message
In the test provided by the contract there's the POC that demonstrates that the call will revert if exchange deposits are disabled.