52690 sc medium dos of smart contracts on bridging functions

Submitted on Aug 12th 2025 at 12:55:04 UTC by @funkornaut for Attackathon | Plume Network

• Report ID: #52690

• Report Type: Smart Contract

• Report severity: Medium

• Target: https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/helper/DexAggregatorWrapperWithPredicateProxy.sol

Brief / Intro

Smart contracts that cannot accept native tokens can be DoS'ed when interacting with the DexAggregatorWrapperWithPredicateProxy deposit and bridge functions.

Vulnerability Details

DexAggregatorWrapperWithPredicateProxy exposes an open receive function and uses an internal refund helper which forwards the full contract balance to a recipient:

function _refundExcessEth(address payable _recipient) internal {
    uint256 balance = address(this).balance;
    if (balance > 0) {
        (bool success,) = _recipient.call{ value: balance }("");
        if (!success) {
            revert DexAggregatorWrapper__EthRefundFailed();
        }
    }
    // If balance is 0, do nothing.
}

Because refunds use a direct call that requires the recipient to be able to accept native tokens, a malicious actor can send a tiny amount of ETH (e.g., 1 wei) to the DexAggregatorWrapperWithPredicateProxy before a target contract calls the bridge/deposit functions. When the target contract (which lacks a payable receive/fallback) is expected to receive a refund, the refund attempt reverts and causes the overall transaction to fail.

Additionally, native tokens can slowly accumulate in the wrapper contract over normal usage, increasing the chance of incompatibility with contracts that cannot accept native tokens.

Impact

Denial of service of smart contracts on deposit and bridge functions: interacting contracts that cannot accept native ETH will have their transactions revert when the contract attempts to refund accumulated ETH.

Proof of Concept

References