[2023-07-Axelar]

**Contest repo:** https://github.com/code-423n4/2023-07-axelar **Findings repo:** https://github.com/code-423n4/2023-07-axelar-findings **Judging by:** [Bernd](https://twitter.com/berndartmueller) (Discord: `berndartmueller#1928`) **Pre-sorting by:** [sorryNotsorry](https://twitter.com/0xSorryNotSorry) (Discord: `0xsorrynotsorry`) # High Severity Primary Submissions (17) ## [[H-484] Interchain token transfer can be Dossed Due To Flow Limit](https://github.com/code-423n4/2023-07-axelar-findings/issues/484) ## [[H-466] Honest users could lose funds due to the current implementation of `executeProposal()`](https://github.com/code-423n4/2023-07-axelar-findings/issues/466) ## [[H-461] `onlyProxy` MODIFIER CAN BE BYPASSED BY A MALICIOUS PROXY CONTRACT AND CAN PUSH THE IMPLEMENTATION CONTRACT INTO AN UNDESIRABLE STATE](https://github.com/code-423n4/2023-07-axelar-findings/issues/461) ## [[H-441] Insecure minimum threshold in `_rotateSigners` function](https://github.com/code-423n4/2023-07-axelar-findings/issues/441) ## [[H-424] ```InterchainTokenService#registerCanonicalToken``` GatewayToken check can be bypassed in several ways](https://github.com/code-423n4/2023-07-axelar-findings/issues/424) ## [[H-420] AxelarGateway.sol: external setup funtion allow anyone to set `governance_`, `mintLimiter_` and `operator` ](https://github.com/code-423n4/2023-07-axelar-findings/issues/420) ## [[H-390] Users can abuse multicall feature on InterchainTokenService to steal contract funds](https://github.com/code-423n4/2023-07-axelar-findings/issues/390) ## [[H-372] LACK OF VALIDATION CHECK COULD LEAD TO WRONG TOKEN TRANSFERS THUS BREAKING THE PROTOCOL](https://github.com/code-423n4/2023-07-axelar-findings/issues/372) ## [[H-356] Users can steal funds in the contract to avoid paying gas](https://github.com/code-423n4/2023-07-axelar-findings/issues/356) ## [[H-317] ERC777 and similar token implementations allow stealing of funds when transferring tokens](https://github.com/code-423n4/2023-07-axelar-findings/issues/317) ## [[H-316] Gas fees are refunded to a wrong address when transferring tokens via `InterchainToken.interchainTransferFrom`](https://github.com/code-423n4/2023-07-axelar-findings/issues/316) ## [[H-315] Colluded signers can steal native coins from a signer](https://github.com/code-423n4/2023-07-axelar-findings/issues/315) ## [[H-296] Potential Denial of Service and Front-running Vulnerability in expressReceiveToken and expressReceiveTokenWithData Functions](https://github.com/code-423n4/2023-07-axelar-findings/issues/296) ## [[H-286] Deployer of standardized token is allowed to deploy same standardized token to another chain, with different decimals](https://github.com/code-423n4/2023-07-axelar-findings/issues/286) ## [[H-101] Replay Attacks for validateProof](https://github.com/code-423n4/2023-07-axelar-findings/issues/101) ## [[H-100] ITS: Standardized tokens deployed with deployRemoteCanonicalToken cannot have liquidity, making the bridge unusable for that asset, and locking tokens on sending chain](https://github.com/code-423n4/2023-07-axelar-findings/issues/100) ## [[H-90] TokenManagerLiquidityPool.sol can permanently lock funds into liquidity pools](https://github.com/code-423n4/2023-07-axelar-findings/issues/90) # Medium Severity Primary Submissions (53) ## [[M-502] Accepted proposal may be recreated at the same address with a malicious proposal if there's a self destruct function in the accepted proposal](https://github.com/code-423n4/2023-07-axelar-findings/issues/502) ## [[M-497] Users who call `expressReceiveTokenWithData` or `expressReceiveToken` can griefed to pay for fees](https://github.com/code-423n4/2023-07-axelar-findings/issues/497) ## [[M-489] Addresses in modifier not set correctly](https://github.com/code-423n4/2023-07-axelar-findings/issues/489) ## [[M-458] Inconsistencies between `expressReceiveTokenWithData` and `_processSendTokenWithDataPayload` can lead to gameable accounting errors for select tokens](https://github.com/code-423n4/2023-07-axelar-findings/issues/458) ## [[M-457] Measuring in native tokens will cause some transactions to fail unexpectedly due to gas price spikes on the destination chain](https://github.com/code-423n4/2023-07-axelar-findings/issues/457) ## [[M-450] InitProxy and Proxy may revert preventing successful init](https://github.com/code-423n4/2023-07-axelar-findings/issues/450) ## [[M-440] expressReceiveToken function on InterchainTokenService cannot be paused, express caller may lose funds when the transaction is settled after token service is paused](https://github.com/code-423n4/2023-07-axelar-findings/issues/440) ## [[M-397] [M] sendProposals reverts due to exceeding gas limit](https://github.com/code-423n4/2023-07-axelar-findings/issues/397) ## [[M-391] USERS COULD LOSE FUNDS DUE TO INSUFFICIENT INPUT VALIDATION CHECKS](https://github.com/code-423n4/2023-07-axelar-findings/issues/391) ## [[M-370] Adversary can prevent the deployemnt in `{TokenManagerDeployer, StandardizedTokenDeployer}` by frontrunning](https://github.com/code-423n4/2023-07-axelar-findings/issues/370) ## [[M-368] InterchainProposalSender.sendProposal/sendProposals should add access control](https://github.com/code-423n4/2023-07-axelar-findings/issues/368) ## [[M-348] `RemoteAddressValidator::validateSender` uses default address for `interchainTokenServiceAddress`](https://github.com/code-423n4/2023-07-axelar-findings/issues/348) ## [[M-346] users can create `TokenManager` with any `LiquidityPool`](https://github.com/code-423n4/2023-07-axelar-findings/issues/346) ## [[M-342] `AxelarServiceGovernance` can only be called cross chain](https://github.com/code-423n4/2023-07-axelar-findings/issues/342) ## [[M-341] signers signature has no deadline and they cannot withdraw their vote](https://github.com/code-423n4/2023-07-axelar-findings/issues/341) ## [[M-339] interchain token transfers to destination addresses that support flash loans can have their transfer stolen](https://github.com/code-423n4/2023-07-axelar-findings/issues/339) ## [[M-338] `flowLimit` can be exceeded](https://github.com/code-423n4/2023-07-axelar-findings/issues/338) ## [[M-334] `MultisigBase` can get excess `eth`](https://github.com/code-423n4/2023-07-axelar-findings/issues/334) ## [[M-332] `TokenManager`'s flow limit logic is broken for `ERC777` tokens](https://github.com/code-423n4/2023-07-axelar-findings/issues/332) ## [[M-328] The impossibility of scheduling several identical operations within the timelock period of the first such operation](https://github.com/code-423n4/2023-07-axelar-findings/issues/328) ## [[M-323] `RemoteAddressValidator` can incorrectly convert addresses to lower case](https://github.com/code-423n4/2023-07-axelar-findings/issues/323) ## [[M-322] `InterchainTokenService.getImplementation` can cause deployment of a non-functioning `TokenManagerProxy`](https://github.com/code-423n4/2023-07-axelar-findings/issues/322) ## [[M-319] Proposal requiring native coin transfers cannot be executed](https://github.com/code-423n4/2023-07-axelar-findings/issues/319) ## [[M-318] `AxelarServiceGovernance` doesn't implement a function to manage proposals](https://github.com/code-423n4/2023-07-axelar-findings/issues/318) ## [[M-313] Proxy contracts have an empty `receive` function that will make it impossible to call `receive` on implementation contract](https://github.com/code-423n4/2023-07-axelar-findings/issues/313) ## [[M-308] Deploying Canonical Bridge will fail for some tokens .](https://github.com/code-423n4/2023-07-axelar-findings/issues/308) ## [[M-302] TokenManager::setup does not check the caller](https://github.com/code-423n4/2023-07-axelar-findings/issues/302) ## [[M-300] InterchainTokenService doesn‘t support executeWithToken, but the call succeeds silently](https://github.com/code-423n4/2023-07-axelar-findings/issues/300) ## [[M-293] Users' funds are permanently locked when sent to a destinationAddress that reverts.](https://github.com/code-423n4/2023-07-axelar-findings/issues/293) ## [[M-292] Users funds are indefinitely locked when sent to a chain that does not have enough tokens.](https://github.com/code-423n4/2023-07-axelar-findings/issues/292) ## [[M-291] Users funds are temporarily locked when sent to a chain whose InterchainTokenService is paused](https://github.com/code-423n4/2023-07-axelar-findings/issues/291) ## [[M-278] `AxelarServiceGovernance.sol`: missing timelock check before proposal execution](https://github.com/code-423n4/2023-07-axelar-findings/issues/278) ## [[M-261] `InterchainTokenService` may send invalid payload with non-existent `TokenManagers` contracts](https://github.com/code-423n4/2023-07-axelar-findings/issues/261) ## [[M-254] User might send tokens to unsupported chains because of faulty implementations in RemoteAddressValidator](https://github.com/code-423n4/2023-07-axelar-findings/issues/254) ## [[M-245] MultisigBase.sol | The lack of a unique identifier for the operation creates a risk of execution several times](https://github.com/code-423n4/2023-07-axelar-findings/issues/245) ## [[M-239] Axelar Governance is unable to call setFlowLimits in InterchainTokenService.sol](https://github.com/code-423n4/2023-07-axelar-findings/issues/239) ## [[M-215] creating of same proposal hash when creating new proposal in `_processCommand` function is possible](https://github.com/code-423n4/2023-07-axelar-findings/issues/215) ## [[M-210] Token mint amounts abnormally if L2 sequencer goes down](https://github.com/code-423n4/2023-07-axelar-findings/issues/210) ## [[M-205] No deadline option is provided for interchain transfers/messages](https://github.com/code-423n4/2023-07-axelar-findings/issues/205) ## [[M-202] Failure of token transfer on destination chain does not result in a refund](https://github.com/code-423n4/2023-07-axelar-findings/issues/202) ## [[M-201] Violation of the `ERC-1967` standard](https://github.com/code-423n4/2023-07-axelar-findings/issues/201) ## [[M-200] Lack of whitelisting on the destination chainID](https://github.com/code-423n4/2023-07-axelar-findings/issues/200) ## [[M-196] Problems in stroring operators AxelarAuthWeighted](https://github.com/code-423n4/2023-07-axelar-findings/issues/196) ## [[M-177] Cross-chain message execution may be DOS due to exceeding the block limit](https://github.com/code-423n4/2023-07-axelar-findings/issues/177) ## [[M-132] upgrade() function should have timelock mechanism per the documentation](https://github.com/code-423n4/2023-07-axelar-findings/issues/132) ## [[M-130] Issues with governance in AxelarGateway.sol](https://github.com/code-423n4/2023-07-axelar-findings/issues/130) ## [[M-87] An Optimizer Bug in AddressBytesUtils.sol](https://github.com/code-423n4/2023-07-axelar-findings/issues/87) ## [[M-82] ITS: Using the canonical bridge on a pre-existing yield generating token, will result in the yield being permanently locked in the contract ](https://github.com/code-423n4/2023-07-axelar-findings/issues/82) ## [[M-52] Insufficient support for tokens with different decimals on different chains lead to loss of funds on cross-chain bridging](https://github.com/code-423n4/2023-07-axelar-findings/issues/52) ## [[M-45] possible panic error/ unexpected revert in interchainTransferFrom() of interchainToken.sol due to improper subtraction](https://github.com/code-423n4/2023-07-axelar-findings/issues/45) ## [[M-25] InterchainProposalExecutor.sol doesn't support non-evm address as caller or sender](https://github.com/code-423n4/2023-07-axelar-findings/issues/25) ## [[M-24] Flow limit can be bypassed in certain scenario](https://github.com/code-423n4/2023-07-axelar-findings/issues/24) ## [[M-23] Hard-fork evm chains won't be supported by InterchainTokenService.sol](https://github.com/code-423n4/2023-07-axelar-findings/issues/23)