Gas fees are refunded to a wrong address when transferring tokens via InterchainToken.interchainTransferFrom

[code423n4]

Lines of code

https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/its/interchain-token/InterchainToken.sol#L104

Vulnerability details

Impact

In a case when gas fees are refunded for a token transfer made via the InterchainToken.interchainTransferFrom function, the fees will be refunded to the owner of the tokens, not the address that actually paid the fees. As a result, the sender will lose the fees paid for the cross-chain transaction and will not receive tokens on the other chain; the owner of the token will have their tokens and will receive the fees.

Proof of Concept

The InterchainToken.interchainTransferFrom function is used to transfer tokens cross-chain. The function is identical to the ERC20.transferFrom function: an approved address can send someone else's tokens to another chain. Since this is a cross-chain transaction, the sender also has to pay the additional gas fee for executing the transaction:

1. the function calls tokenManager.transmitInterchainTransfer;
2. tokenManager.transmitInterchainTransfer calls interchainTokenService.transmitSendToken;
3. interchainTokenService.transmitSendToken calls _callContract;
4. _callContract uses the msg.value to pay the extra gas fees.

Notice that the gasService.payNativeGasForContractCall call in _callContract takes the refundTo address, i.e. the address that will receive refunded gas fee. If we return up on the call stack, we'll see that the refund address is the sender address that's passed to the tokenManager.transmitInterchainTransfer call. Thus, gas fees will be refunded to the token owner, not the caller, however it's the caller who pays them.

Tools Used

Manual review

Recommended Mitigation Steps

The TokenManager.transmitInterchainTransfer and the InterchainTokenService.transmitSendToken functions, besides taking the sender/sourceAddress argument, need also take the "refund to" address. In the InterchainToken.interchainTransferFrom function, the two argument will be set to different addresses: the sender/sourceAddress argument will be set to the token owner address; the new "refund to" argument will be set to msg.sender. Thus, while tokens will be taken from their owner, the cross-chain gas fees will be refunded to the actual transaction sender.

Assessed type

ETH-Transfer

[c4-pre-sort]

0xSorryNotSorry marked the issue as primary issue

[c4-sponsor]

deanamiel marked the issue as disagree with severity

[deanamiel]

Corrected Severity: QA
In most cases it will have been called by the sender anyway, so having the sender be refunded is the desired effect. Sometimes this will not be the case though, depending on the use case. Therefore, we have added a parameter to keep track of where the funds need to be refunded.
Link to public PR:
axelarnetwork/interchain-token-service#96

[berndartmueller]

Considering this medium severity as per "...In most cases it will have been called by the sender anyway" (sponsors statement above). Nevertheless, in the cases where an approved address transfers the tokens, the gas is incorrectly refunded.

[c4-judge]

berndartmueller changed the severity to 2 (Med Risk)

[c4-judge]

berndartmueller marked the issue as selected for report

[milapsheth]

We acknowledge the severity