52690 sc medium dos of smart contracts on bridging functions

Submitted on Aug 12th 2025 at 12:55:04 UTC by @funkornaut for Attackathon | Plume Network

Report ID: #52690
Report Type: Smart Contract
Report severity: Medium
Target: https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/helper/DexAggregatorWrapperWithPredicateProxy.sol

Brief / Intro

Smart contracts that cannot accept native tokens can be DoS'ed when interacting with the DexAggregatorWrapperWithPredicateProxy deposit and bridge functions.

Vulnerability Details

DexAggregatorWrapperWithPredicateProxy exposes an open receive function and uses an internal refund helper which forwards the full contract balance to a recipient:

DexAggregatorWrapperWithPredicateProxy::_refundExcessEth

function _refundExcessEth(address payable _recipient) internal {
    uint256 balance = address(this).balance;
    if (balance > 0) {
        (bool success,) = _recipient.call{ value: balance }("");
        if (!success) {
            revert DexAggregatorWrapper__EthRefundFailed();
        }
    }
    // If balance is 0, do nothing.
}

Because refunds use a direct call that requires the recipient to be able to accept native tokens, a malicious actor can send a tiny amount of ETH (e.g., 1 wei) to the DexAggregatorWrapperWithPredicateProxy before a target contract calls the bridge/deposit functions. When the target contract (which lacks a payable receive/fallback) is expected to receive a refund, the refund attempt reverts and causes the overall transaction to fail.

Additionally, native tokens can slowly accumulate in the wrapper contract over normal usage, increasing the chance of incompatibility with contracts that cannot accept native tokens.

This is a Denial-of-Service vector: contracts without payable receive/fallback functions can be prevented from successfully invoking deposit/bridge functions that attempt to refund ETH.

Impact

Denial of service of smart contracts on deposit and bridge functions: interacting contracts that cannot accept native ETH will have their transactions revert when the contract attempts to refund accumulated ETH.

Proof of Concept

Step

Attacker observes a contract (the victim) without a receive or fallback payable function preparing to call a bridge/deposit function on DexAggregatorWrapperWithPredicateProxy.

Step

Attacker sends 1 wei (or any small amount of native ETH) to DexAggregatorWrapperWithPredicateProxy prior to the victim's transaction.

Step

Victim contract calls the bridge/deposit function. During execution the wrapper calls _refundExcessEth(victim) which performs a call{ value: balance }("") to the victim. Since the victim cannot accept native tokens, the call fails, reverting the wrapper and causing the victim's transaction to revert — resulting in DoS.

References

View referenced source lines

https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/helper/DexAggregatorWrapperWithPredicateProxy.sol?utm_source=immunefi#L376-#L385
https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/helper/DexAggregatorWrapperWithPredicateProxy.sol?utm_source=immunefi#L417
https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/helper/DexAggregatorWrapperWithPredicateProxy.sol?utm_source=immunefi#L222
https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/helper/DexAggregatorWrapperWithPredicateProxy.sol?utm_source=immunefi#L148

Previous51197 sc high arc token owner can take upgrader role for themselves lockout the factory and upgrade the contract without the knowledge of the factory Next52422 sc low using the current time in geteffectiverewardrateat will result in incorrect reward calculation for an entire duration of a time segment

Was this helpful?