TOB-FUEL-3: `register_refund` does not take previous refunds into account
xgreenx opened this issue · comments
Description
When a refund is registered due to an error, any previous refund balance is overwritten and lost.
Refunds are issued when the bridged Ethereum asset is sent to an incompatible token address on the Fuel chain.
Refunds are accounted for in the register_refund function and stored in the storage variable refund_amounts.
// Storage-dependant private functions
#[storage(write)]
fn register_refund(from: b256, asset: b256, amount: b256) {
storage.refund_amounts.get(from).insert(asset, amount);
log(RefundRegisteredEvent {
from,
asset,
amount,
});
}Exploit Scenario
Alice bridges 1M USDC from Ethereum to the Fuel chain and includes a wrong recipient. Due to a mistake she sends the transaction twice. This results in her first deposit being lost.
Recommendations
Short term, increment the amounts when updating the refund storage values.
Long term, increase test coverage and make sure that special cases, such as triggering a refund case twice, are included.