# #43274 \[SC-Low] \`TRANSFER\_NATIVE\` Command in Dispatcher Does Not Check Return Value of Low-Level Call **Submitted on Apr 4th 2025 at 08:28:32 UTC by @Coyote25049 for** [**Audit Comp | Spectra Finance**](https://immunefi.com/audit-competition/audit-comp-spectra-finance) * **Report ID:** #43274 * **Report Type:** Smart Contract * **Report severity:** Low * **Target:** * **Impacts:** * Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield ## Description ## Location: * ## Finding description and impact The `_dispatch` function in the `Dispatcher.sol` contract handles various commands. Among these, the `TRANSFER_NATIVE` command (L483-L486) is used to send native ETH to a specified recipient. This command uses a low-level `call` to perform the transfer: `(bool success, ) = payable(recipient).call{value: amount}("");` However, the code **completely fails to check the returned `success` boolean** after executing the `call`. The low-level `call` will return `false` instead of reverting in the following situations: 1. The recipient contract does not have a `receive()` or `fallback()` payable function to receive ETH. 2. The recipient contract's `receive()` or `fallback()` function execution fails (e.g., insufficient gas or explicit revert). 3. The `value` being sent exceeds the recipient's balance limit (although uncommon). 4. The call depth reaches 1024. If `call` returns `false`, it means that the ETH transfer actually failed, and the funds were not sent to the `recipient`. However, since the `Dispatcher` contract does not check `success`, it will continue to execute subsequent commands (if they exist in a multi-command sequence) as if the transfer had succeeded. **Impact:** This can lead to an inconsistency between the protocol's internal state (which assumes the transfer has occurred) and the actual on-chain state of funds (ETH is still in the Dispatcher contract). This state inconsistency can be exploited in complex transaction sequences involving multi-step operations: * **Loss of Funds:** Subsequent operations may be calculated or have state updates based on the incorrect assumption that "ETH has been sent," leading to a loss of funds for the protocol or users. For example, if a subsequent command relies on the recipient having received the ETH, but they haven't, it could trigger an incorrect logical path. * **Logic Errors:** The protocol may enter an unexpected or inconsistent state, disrupting its core functionality or invariants. ## Proof of Concept 1. A user constructs a transaction sequence containing a `TRANSFER_NATIVE` command, with the target `recipient` being a contract address that does not have a `receive()` or `fallback()` payable function. 2. The user calls the Router to execute this sequence. 3. The `_dispatch` function executes the `TRANSFER_NATIVE` command. 4. `payable(recipient).call{value: amount}("")` is called. Because the target contract cannot receive ETH, the call fails, returning `success = false`. 5. The `Dispatcher` contract **does not check `success`** and continues to execute the next command in the sequence. 6. Subsequent commands execute based on the incorrect assumption that the ETH transfer was successful, potentially leading to: * Incorrect balance calculations. * Incorrect permission grants. * Incorrect event triggering. * The protocol entering an inconsistent state. Or: 1. A user constructs a transaction sequence containing a `TRANSFER_NATIVE` command, with the target `recipient` being a malicious contract whose `receive()` function reverts. 2. The user calls the Router to execute this sequence. 3. The `_dispatch` function executes the `TRANSFER_NATIVE` command. 4. `payable(recipient).call{value: amount}("")` is called. The target contract's `receive()` function reverts, causing `call` to return `success = false`. 5. The `Dispatcher` contract does not check `success` and continues executing subsequent commands, potentially leading to state inconsistencies or loss of funds. ## Recommended mitigation steps After executing the low-level `call`, the returned `success` value must be checked, and the transaction should revert if it fails. ```solidity } else if (command == Commands.TRANSFER_NATIVE) { (address recipient, uint256 amount) = abi.decode(_inputs, (address, uint256)); recipient = _resolveAddress(recipient); // Resolve the address amount = _resolveTokenValue(Constants.ETH_ADDRESS, amount); // Resolve the amount, assuming ETH address is 0xE...E (bool success, ) = payable(recipient).call{value: amount}(""); // Add a check: ensure the ETH transfer succeeded if (!success) { revert CallFailed(); // Or use a more specific error type, e.g., ETHTransferFailed } } else { ``` Note: `_resolveTokenValue` needs to handle the case of native ETH, which may require passing a special address (such as `0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE` or `address(0)`) to represent ETH, or modifying the logic of `_resolveTokenValue`. If `amount` comes directly from `abi.decode` and does not need to resolve `CONTRACT_BALANCE`, it can be used directly. The above fix assumes that `_resolveTokenValue` can correctly handle amount resolution for native ETH. By adding `if (!success) { revert CallFailed(); }`, you ensure that the contract only continues to execute if the ETH was successfully sent, thereby maintaining the consistency of the protocol state and the security of funds. ## Proof of Concept ## Test `forge test -vv --match-path "test/DispatcherNativeTransferPOC.sol"` ## Result ```bash Ran 3 tests for test/DispatcherNativeTransferPOC.sol:DispatcherNativeTransferPOC [PASS] test_ComparisonWithProperCheck() (gas: 379383) Logs: ===== TEST: COMPARISON WITH PROPER SUCCESS CHECK ===== This test shows the correct behavior when implementing proper success check Initial balances: Attempting to transfer ETH (with proper success check): Recipient: 0xF62849F9A0B5Bf2913b396098F7c7019b51A820a Call success: false Transfer failed! Reverting transaction to maintain state consistency Transaction completed with success: false Final balances: FIXED BEHAVIOR: 1. The transaction reverts when ETH transfer fails 2. This maintains consistency between protocol state and actual balances 3. No opportunity for exploitation due to state inconsistency [PASS] test_TransferToRejecter() (gas: 163889) Logs: ===== TEST: ETH TRANSFER TO CONTRACT WITHOUT RECEIVE FUNCTION ===== This test demonstrates that when a transfer fails, the Dispatcher continues execution and updates internal accounting as if the transfer succeeded. Initial balances: Attempting to transfer ETH: Recipient: 0x2e234DAe75C793f67A35089C9d99245E1C58470b Call success: false WARNING: Transfer failed but execution continues! VULNERABILITY: Internal accounting and actual balances are now inconsistent! External contract call command executed: Target contract: 0x0000000000000000000000000000000000000123 NOTE: This operation assumes previous operations were successful Transaction completed with success: true Final state: Final operation executed: true VULNERABILITY IMPACT: 1. The ETH transfer failed (rejecter balance is 0) 2. But Dispatcher recorded the transfer as successful in its state 3. Subsequent operations were executed based on incorrect state 4. This can lead to various exploits including theft of funds [PASS] test_TransferToReverter() (gas: 167850) Logs: ===== TEST: ETH TRANSFER TO CONTRACT THAT REVERTS ===== This test demonstrates that even when a transfer actively reverts, the Dispatcher continues execution and maintains inconsistent state. Initial balances: Attempting to transfer ETH: Recipient: 0xF62849F9A0B5Bf2913b396098F7c7019b51A820a Call success: false WARNING: Transfer failed but execution continues! VULNERABILITY: Internal accounting and actual balances are now inconsistent! ERC20 transfer command executed: Token: 0x0000000000000000000000000000000000000456 Recipient: 0x0000000000000000000000000000000000000789 NOTE: This operation assumes previous operations were successful Transaction completed with success: true Final state: Final operation executed: true EXPLOITATION SCENARIO: 1. An attacker creates a contract that reverts on ETH receiving 2. The attacker calls a sequence that includes transferring ETH to this contract 3. The transfer fails, but the protocol thinks it succeeded 4. The attacker can now exploit this inconsistency, e.g.: - Withdraw more funds than they should be able to - Execute privileged operations based on incorrect balance assumptions - Create further state inconsistencies in dependent protocols Suite result: ok. 3 passed; 0 failed; 0 skipped; finished in 964.71µs (796.17µs CPU time) Ran 1 test suite in 106.31ms (964.71µs CPU time): 3 tests passed, 0 failed, 0 skipped (3 total tests) ``` ## POC ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.20; import "forge-std/Test.sol"; import "forge-std/console.sol"; // Mock Dispatcher contract that demonstrates the vulnerability contract MockDispatcher { // Command enumeration similar to the original contract enum Commands { TRANSFER_NATIVE, TRANSFER_ERC20, CALL_CONTRACT } // Status tracking for demonstration uint256 public operationsCompleted; bool public finalOperationExecuted; mapping(address => uint256) public recordedTransfers; // Track protocol state - simplified example of internal accounting mapping(address => uint256) public userBalances; // Execute a sequence of commands function dispatch( Commands[] calldata commands, bytes[] calldata inputs ) external payable { require(commands.length == inputs.length, "Length mismatch"); for (uint256 i = 0; i < commands.length; i++) { _dispatch(commands[i], inputs[i]); operationsCompleted++; } // This represents a final operation that relies on the assumption // that all previous operations (including ETH transfers) were successful finalOperationExecuted = true; } // The vulnerable dispatch function that doesn't check call success function _dispatch(Commands command, bytes calldata _inputs) internal { if (command == Commands.TRANSFER_NATIVE) { (address recipient, uint256 amount) = abi.decode(_inputs, (address, uint256)); console.log("Attempting to transfer ETH:"); console.log(" Recipient:", recipient); console.log(" Amount:", amount / 1e18, "ETH"); console.log(" Dispatcher balance before:", address(this).balance / 1e18, "ETH"); // VULNERABILITY: No check of the success return value (bool success, ) = payable(recipient).call{value: amount}(""); // Record the transfer in internal accounting regardless of actual success recordedTransfers[recipient] += amount; userBalances[recipient] += amount; // Update internal accounting console.log(" Call success:", success); console.log(" Dispatcher balance after:", address(this).balance / 1e18, "ETH"); console.log(" Recorded transfer amount:", recordedTransfers[recipient] / 1e18, "ETH"); console.log(" Updated user balance in accounting:", userBalances[recipient] / 1e18, "ETH"); // VULNERABILITY: Continue execution even if transfer failed if (!success) { console.log(" WARNING: Transfer failed but execution continues!"); console.log(" VULNERABILITY: Internal accounting and actual balances are now inconsistent!"); } } else if (command == Commands.TRANSFER_ERC20) { // Simplified mock for ERC20 transfers (address token, address recipient, uint256 amount) = abi.decode( _inputs, (address, address, uint256) ); console.log("ERC20 transfer command executed:"); console.log(" Token:", token); console.log(" Recipient:", recipient); console.log(" Amount:", amount); // This operation depends on previous operations being successful console.log(" NOTE: This operation assumes previous operations were successful"); } else if (command == Commands.CALL_CONTRACT) { (address target, bytes memory callData) = abi.decode( _inputs, (address, bytes) ); console.log("External contract call command executed:"); console.log(" Target contract:", target); // This operation depends on previous operations being successful console.log(" NOTE: This operation assumes previous operations were successful"); } } // Helper function to check contract's ETH balance function getBalance() external view returns (uint256) { return address(this).balance; } // Allow the contract to receive ETH receive() external payable {} } // A contract that cannot receive ETH - no receive/fallback function contract ETHRejecter { // This contract deliberately has no receive() or fallback() function // so it will reject any ETH sent to it function executeAction() external pure returns (string memory) { return "Action executed"; } } // A contract that deliberately reverts when receiving ETH contract ETHReverter { // The receive function that reverts when called receive() external payable { revert("I reject all ETH transfers"); } function executeAction() external pure returns (string memory) { return "Action executed"; } } // POC test contract contract DispatcherNativeTransferPOC is Test { MockDispatcher public dispatcher; ETHRejecter public rejecter; ETHReverter public reverter; address public user = address(0x1); function setUp() public { dispatcher = new MockDispatcher(); rejecter = new ETHRejecter(); reverter = new ETHReverter(); // Fund the user and label addresses for better trace output vm.deal(user, 10 ether); vm.label(address(dispatcher), "Dispatcher"); vm.label(address(rejecter), "ETHRejecter"); vm.label(address(reverter), "ETHReverter"); vm.label(user, "User"); } function test_TransferToRejecter() public { console.log("\n===== TEST: ETH TRANSFER TO CONTRACT WITHOUT RECEIVE FUNCTION ====="); console.log("This test demonstrates that when a transfer fails, the Dispatcher continues execution"); console.log("and updates internal accounting as if the transfer succeeded."); console.log("\nInitial balances:"); console.log(" Dispatcher:", address(dispatcher).balance / 1e18, "ETH"); console.log(" Rejecter:", address(rejecter).balance / 1e18, "ETH"); // Set up command sequence that includes an ETH transfer MockDispatcher.Commands[] memory commands = new MockDispatcher.Commands[](2); commands[0] = MockDispatcher.Commands.TRANSFER_NATIVE; commands[1] = MockDispatcher.Commands.CALL_CONTRACT; // Second operation that assumes first succeeded bytes[] memory inputs = new bytes[](2); inputs[0] = abi.encode(address(rejecter), 1 ether); // Try to send 1 ETH to rejecter inputs[1] = abi.encode(address(0x123), "0xabcdef"); // Some arbitrary call data // Execute the command sequence vm.startPrank(user); (bool success, ) = address(dispatcher).call{value: 2 ether}( abi.encodeWithSelector(dispatcher.dispatch.selector, commands, inputs) ); vm.stopPrank(); console.log("\nTransaction completed with success:", success); console.log("\nFinal state:"); console.log(" Dispatcher balance:", address(dispatcher).balance / 1e18, "ETH"); console.log(" Rejecter balance:", address(rejecter).balance / 1e18, "ETH"); console.log(" Operations completed:", dispatcher.operationsCompleted()); console.log(" Final operation executed:", dispatcher.finalOperationExecuted()); console.log(" Recorded transfer to rejecter:", dispatcher.recordedTransfers(address(rejecter)) / 1e18, "ETH"); console.log(" Internal accounting for rejecter:", dispatcher.userBalances(address(rejecter)) / 1e18, "ETH"); console.log("\nVULNERABILITY IMPACT:"); console.log("1. The ETH transfer failed (rejecter balance is 0)"); console.log("2. But Dispatcher recorded the transfer as successful in its state"); console.log("3. Subsequent operations were executed based on incorrect state"); console.log("4. This can lead to various exploits including theft of funds"); // Demonstrate that the dispatcher thinks it sent ETH, but the ETH is still in the dispatcher assertTrue(success, "Transaction should succeed despite failed transfer"); assertEq(dispatcher.operationsCompleted(), 2, "Both operations should be marked complete"); assertTrue(dispatcher.finalOperationExecuted(), "Final operation should execute"); assertEq(dispatcher.recordedTransfers(address(rejecter)), 1 ether, "Transfer should be recorded in state"); assertEq(dispatcher.userBalances(address(rejecter)), 1 ether, "User balance should be updated in state"); assertEq(address(rejecter).balance, 0, "Rejecter should have 0 ETH (transfer failed)"); assertEq(address(dispatcher).balance, 2 ether, "Dispatcher should still have all the ETH"); } function test_TransferToReverter() public { console.log("\n===== TEST: ETH TRANSFER TO CONTRACT THAT REVERTS ====="); console.log("This test demonstrates that even when a transfer actively reverts,"); console.log("the Dispatcher continues execution and maintains inconsistent state."); console.log("\nInitial balances:"); console.log(" Dispatcher:", address(dispatcher).balance / 1e18, "ETH"); console.log(" Reverter:", address(reverter).balance / 1e18, "ETH"); // Set up command sequence with ETH transfer followed by another operation MockDispatcher.Commands[] memory commands = new MockDispatcher.Commands[](2); commands[0] = MockDispatcher.Commands.TRANSFER_NATIVE; commands[1] = MockDispatcher.Commands.TRANSFER_ERC20; // Second operation that assumes first succeeded bytes[] memory inputs = new bytes[](2); inputs[0] = abi.encode(address(reverter), 1 ether); // Try to send 1 ETH to reverter inputs[1] = abi.encode(address(0x456), address(0x789), 1000); // Some ERC20 transfer // Execute the command sequence vm.startPrank(user); (bool success, ) = address(dispatcher).call{value: 2 ether}( abi.encodeWithSelector(dispatcher.dispatch.selector, commands, inputs) ); vm.stopPrank(); console.log("\nTransaction completed with success:", success); console.log("\nFinal state:"); console.log(" Dispatcher balance:", address(dispatcher).balance / 1e18, "ETH"); console.log(" Reverter balance:", address(reverter).balance / 1e18, "ETH"); console.log(" Operations completed:", dispatcher.operationsCompleted()); console.log(" Final operation executed:", dispatcher.finalOperationExecuted()); console.log(" Recorded transfer to reverter:", dispatcher.recordedTransfers(address(reverter)) / 1e18, "ETH"); console.log(" Internal accounting for reverter:", dispatcher.userBalances(address(reverter)) / 1e18, "ETH"); console.log("\nEXPLOITATION SCENARIO:"); console.log("1. An attacker creates a contract that reverts on ETH receiving"); console.log("2. The attacker calls a sequence that includes transferring ETH to this contract"); console.log("3. The transfer fails, but the protocol thinks it succeeded"); console.log("4. The attacker can now exploit this inconsistency, e.g.:"); console.log(" - Withdraw more funds than they should be able to"); console.log(" - Execute privileged operations based on incorrect balance assumptions"); console.log(" - Create further state inconsistencies in dependent protocols"); // Demonstrate the same issue with a contract that actively reverts assertTrue(success, "Transaction should succeed despite failed transfer"); assertEq(dispatcher.operationsCompleted(), 2, "Both operations should be marked complete"); assertTrue(dispatcher.finalOperationExecuted(), "Final operation should execute"); assertEq(dispatcher.recordedTransfers(address(reverter)), 1 ether, "Transfer should be recorded in state"); assertEq(dispatcher.userBalances(address(reverter)), 1 ether, "User balance should be updated in state"); assertEq(address(reverter).balance, 0, "Reverter should have 0 ETH (transfer reverted)"); assertEq(address(dispatcher).balance, 2 ether, "Dispatcher should still have all the ETH"); } function test_ComparisonWithProperCheck() public { console.log("\n===== TEST: COMPARISON WITH PROPER SUCCESS CHECK ====="); console.log("This test shows the correct behavior when implementing proper success check"); // Create a new dispatcher with proper success check (inline for simplicity) MockDispatcherFixed fixedDispatcher = new MockDispatcherFixed(); vm.label(address(fixedDispatcher), "FixedDispatcher"); console.log("\nInitial balances:"); console.log(" FixedDispatcher:", address(fixedDispatcher).balance / 1e18, "ETH"); console.log(" Reverter:", address(reverter).balance / 1e18, "ETH"); // Set up command sequence MockDispatcherFixed.Commands[] memory commands = new MockDispatcherFixed.Commands[](1); commands[0] = MockDispatcherFixed.Commands.TRANSFER_NATIVE; bytes[] memory inputs = new bytes[](1); inputs[0] = abi.encode(address(reverter), 1 ether); // Execute the command sequence vm.startPrank(user); bool success; bytes memory returnData; (success, returnData) = address(fixedDispatcher).call{value: 2 ether}( abi.encodeWithSelector(fixedDispatcher.dispatch.selector, commands, inputs) ); vm.stopPrank(); console.log("\nTransaction completed with success:", success); console.log("\nFinal balances:"); console.log(" FixedDispatcher:", address(fixedDispatcher).balance / 1e18, "ETH"); console.log(" Reverter:", address(reverter).balance / 1e18, "ETH"); console.log("\nFIXED BEHAVIOR:"); console.log("1. The transaction reverts when ETH transfer fails"); console.log("2. This maintains consistency between protocol state and actual balances"); console.log("3. No opportunity for exploitation due to state inconsistency"); // The fixed dispatcher should revert the transaction when transfer fails assertFalse(success, "Transaction should revert when transfer fails"); assertEq(address(reverter).balance, 0, "Reverter should have 0 ETH"); } } // A fixed version of the dispatcher that properly checks the return value contract MockDispatcherFixed { enum Commands { TRANSFER_NATIVE, TRANSFER_ERC20, CALL_CONTRACT } error ETHTransferFailed(); function dispatch( Commands[] calldata commands, bytes[] calldata inputs ) external payable { require(commands.length == inputs.length, "Length mismatch"); for (uint256 i = 0; i < commands.length; i++) { _dispatch(commands[i], inputs[i]); } } function _dispatch(Commands command, bytes calldata _inputs) internal { if (command == Commands.TRANSFER_NATIVE) { (address recipient, uint256 amount) = abi.decode(_inputs, (address, uint256)); console.log("Attempting to transfer ETH (with proper success check):"); console.log(" Recipient:", recipient); console.log(" Amount:", amount / 1e18, "ETH"); // FIXED: Properly check the success return value (bool success, ) = payable(recipient).call{value: amount}(""); console.log(" Call success:", success); // Revert if transfer fails - THIS IS THE FIX if (!success) { console.log(" Transfer failed! Reverting transaction to maintain state consistency"); revert ETHTransferFailed(); } } } receive() external payable {} } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/spectra-finance/43274-sc-low-transfer_native-command-in-dispatcher-does-not-check-return-value-of-low-level-call.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.