Description

The function bridgeTokenConnext, which is used to bridge tokens via connext bridge, calls the following function with the value passed as relayerFee:

function bridgeTokenConnext(address token, address arbEscrow, uint256 amount, uint256 slippage, uint256 relayerFee)
    external
    onlyOwner
    onlyBroke
{
    //...
    connext.xcall{value: relayerFee}(
        1634886255, // _destination: Domain ID of the destination chain
        arbEscrow, // _to: address receiving the funds on the destination
        address(xToken), // _asset: address of the token contract
        msg.sender, // _delegate: address that can revert or forceLocal on destination
        amount, // _amount: amount of tokens to transfer
        slippage, // _slippage: the maximum amount of slippage the user will accept in BPS (e.g. 30 = 0.3%)
        bytes("") // _callData: empty bytes because we're only sending funds
    );
}

While the function calls connext.xcall with some value, bridgeTokenConnext is not marked as payable. Therefore, the relayerFee would be subtracted from the ETH balance available in the contract (i.e., the user funds). Adding a payable keyword would allow ETH to be sent to this function call.

Impact

The relayerFee sent to connext bridge would be deducted from the user funds.

Recommendations

We recommend making the function payable. Furthermore, we also recommend adding a check that the msg.value passed to the function is equal to the relayerFee.

Remediation

This issue has been acknowledged by Bracket Labs Group SA, and a fix was implemented in commit e2377e01↗.