#38257 [SC-Insight] Freezing of msg.value passed in Bridge.deposit() if adapter is address zero

Submitted on Dec 29th 2024 at 09:32:35 UTC by @Shahen for Audit Comp | Lombard

Report ID: #38257
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/bridge/Bridge.sol
Impacts:
- Temporary freezing of funds for at least 30 days

Description

Brief/Intro

When interacted with the contract by calling Bridge.deposit() with a certain msg.value, usually what happens is any excess eth > fee amount will be appended to refunds[fromAddress] by the adapter therefore the msg.sender can withdraw the refund later, But if adapter is == address(0) any passed eth through the Bridge.deposit() function will be stuck in the Bridge contract without a refund.

Please refer to the below coded foundry poc, Run forge test -vvv , Install the foundry plugin for hardhat.

(Note - Also comment out _disableInitializers() inside the constructors of both LBTC and Bridge contracts to run this test.)

Vulnerability Details

Same as above Brief/Intro

Impact Details

Freezing of msg.value passed in Bridge.deposit() if adapter is address zero

References

https://github.com/lombard-finance/evm-smart-contracts/blob/a818ea0489178ccd00019edab24637c38501af7b/contracts/bridge/Bridge.sol#L147

Proof of Concept

// SPDX-License-Identifier: MIT
pragma solidity 0.8.24;

import "../lib/forge-std/src/Test.sol";
import {LBTC} from "../contracts/LBTC/LBTC.sol";
import {Bridge} from "../contracts/bridge/Bridge.sol";
import {ConsortiumMock} from "../contracts/mock/ConsortiumMock.sol";
import {ILBTC} from "../contracts/Bridge/IBridge.sol";
import {IAdapter} from "../contracts/bridge/adapters/IAdapter.sol";
import {RateLimits} from "../contracts/libs/RateLimits.sol";




contract lombardtest is Test {

    LBTC public _LBTC;
    Bridge public _bridge;
    ConsortiumMock public _ConsortiumMock;
    
    address bob = address(0x7);
    address alex = address(0x8);

    function setUp() public {

       
       _LBTC = new LBTC(); // comment out `_disableInitializers()` inside the constructor please..
       _bridge = new Bridge(); // comment out `_disableInitializers()` inside the constructor please..
       _ConsortiumMock = new ConsortiumMock();

       _LBTC.initialize(address(_ConsortiumMock),uint64(0),address(0x3),address(this));
       _bridge.initialize(ILBTC(address(_LBTC)),address(0x1),address(this));
       _bridge.addDestination(bytes32(uint256(1)),bytes32(uint256(uint160(address(0x4)))),uint16(1000),uint64(0),IAdapter(address(0)),true);
       RateLimits.Config[] memory _config = new RateLimits.Config[](1);
       _config[0] = RateLimits.Config({chainId: bytes32(uint256(1)),limit: uint256(5e8) ,window: uint256(1000000000)});
       _bridge.setRateLimits(_config,_config);
       _LBTC.addMinter(address(_bridge));
       deal(bob,0.01 ether);
       assertEq(bob.balance,0.01 ether);
       deal(address(_LBTC),bob,2e8);
       assertEq(_LBTC.balanceOf(bob),2e8);       
    }

    function test_msgValue_lost() public {

     //Test case proving that if config.adapter == address(0), Any msg.value passed is not returned back to the caller but stuck in contract itself.   
       vm.startPrank(bob);
       _LBTC.approve(address(_bridge), 2e8); // just using a higher value,ignore it
       _bridge.deposit{value: 0.01 ether}(bytes32(uint256(1)), bytes32(uint256(uint160(alex))), 1e8);
       assertEq(address(_bridge).balance,0.01 ether); // Asserting that the bridge contract balance is of the passed ether value.
       vm.stopPrank();
       


       


    }

}

Previous38286 [SC-Low] bitcoinutils getdustlimitforoutput calculate wrongly the dust limit for a given bitco Next#38341 [SC-Insight] Suboptimal gas usage and ambiguous behavior during fee estimation

Last updated 7 months ago

Was this helpful?

// SPDX-License-Identifier: MIT pragma solidity 0.8.24; import "../lib/forge-std/src/Test.sol"; import {LBTC} from "../contracts/LBTC/LBTC.sol"; import {Bridge} from "../contracts/bridge/Bridge.sol"; import {ConsortiumMock} from "../contracts/mock/ConsortiumMock.sol"; import {ILBTC} from "../contracts/Bridge/IBridge.sol"; import {IAdapter} from "../contracts/bridge/adapters/IAdapter.sol"; import {RateLimits} from "../contracts/libs/RateLimits.sol"; contract lombardtest is Test { LBTC public _LBTC; Bridge public _bridge; ConsortiumMock public _ConsortiumMock; address bob = address(0x7); address alex = address(0x8); function setUp() public { _LBTC = new LBTC(); // comment out `_disableInitializers()` inside the constructor please.. _bridge = new Bridge(); // comment out `_disableInitializers()` inside the constructor please.. _ConsortiumMock = new ConsortiumMock(); _LBTC.initialize(address(_ConsortiumMock),uint64(0),address(0x3),address(this)); _bridge.initialize(ILBTC(address(_LBTC)),address(0x1),address(this)); _bridge.addDestination(bytes32(uint256(1)),bytes32(uint256(uint160(address(0x4)))),uint16(1000),uint64(0),IAdapter(address(0)),true); RateLimits.Config[] memory _config = new RateLimits.Config[](1); _config[0] = RateLimits.Config({chainId: bytes32(uint256(1)),limit: uint256(5e8) ,window: uint256(1000000000)}); _bridge.setRateLimits(_config,_config); _LBTC.addMinter(address(_bridge)); deal(bob,0.01 ether); assertEq(bob.balance,0.01 ether); deal(address(_LBTC),bob,2e8); assertEq(_LBTC.balanceOf(bob),2e8); } function test_msgValue_lost() public { //Test case proving that if config.adapter == address(0), Any msg.value passed is not returned back to the caller but stuck in contract itself. vm.startPrank(bob); _LBTC.approve(address(_bridge), 2e8); // just using a higher value,ignore it _bridge.deposit{value: 0.01 ether}(bytes32(uint256(1)), bytes32(uint256(uint160(alex))), 1e8); assertEq(address(_bridge).balance,0.01 ether); // Asserting that the bridge contract balance is of the passed ether value. vm.stopPrank(); } }