Assessment reports>IBC Eureka>Threat Model>Component: ICS20Transfer

Component: ICS20Transfer

Function: sendtransfer

This function initiates an ICS20 transfer.

Inputs

  • msg_

    • Control: Arbitrary.

    • Constraints: msg_.amount > 0.

    • Impact: The msg_ contains the transfer parameters.

Branches and code coverage

Intended branches

Function call analysis

  • _transferfrom(_msgsender(), address(escrow), msg_.denom, msg_.amount)

    • what is controllable? msg_.denom and msg_.amount.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • what happens if it reverts, reenters, or does other unusual control flow? N/A.

  • escrow.recvcallback(msg_.denom, _msgsender(), msg_.amount)

    • what is controllable? msg_.denom and msg_.amount.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • what happens if it reverts, reenters, or does other unusual control flow? N/A.

Function: OnRecvPacket

This is a recv callback, executed when receiving an ICS20 IBC packet.

Inputs

  • msg_

    • Control: Arbitrary.

    • Constraints: Several constraints ensuring valid packet details such as versioning and port — also, packet amount > 0.

    • Impact: The received IBC ICS20 message.

Branches and code coverage

Intended branches

Function call analysis

  • IBCERC20(erc20Address).mint(address(escrow), packetData.amount)

    • what is controllable? packetData.amount.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • what happens if it reverts, reenters, or does other unusual control flow? N/A.

  • _getOrCreateIBCERC20(newDenom, address(escrow))

    • what is controllable? Nothing.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • what happens if it reverts, reenters, or does other unusual control flow? N/A.

Function: onAckPacket

This is a packet-acknowledgment callback, refunding tokens back to the sender and minting the tokens if they were burned from the escrow.

Inputs

  • msg_

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Contains the parameters required for the acknowledgement.

Branches and code coverage

Intended branches

Function call analysis

  • IBCERC20(erc20Address).mint(address(escrow), packetData.amount)

    • what is controllable? Nothing.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • what happens if it reverts, reenters, or does other unusual control flow? N/A.

  • escrow.send(IERC20(erc20Address), refundee, packetData.amount)

    • what is controllable? packetData.amount, granted the relevant packet was sent initially.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • what happens if it reverts, reenters, or does other unusual control flow? N/A.

Function: onTimeoutPacket

This is a time-out--acknowledgment callback, refunding tokens back to the sender and minting the tokens if they were burned from the escrow.

Inputs

  • msg_

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Contains the parameters required for the timeout call.

Branches and code coverage

Intended branches

Function call analysis

  • IBCERC20(erc20Address).mint(address(escrow), packetData.amount)

    • what is controllable? Nothing.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • what happens if it reverts, reenters, or does other unusual control flow? N/A.

  • escrow.send(IERC20(erc20Address), refundee, packetData.amount)

    • what is controllable? packetData.amount, granted the relevant packet was sent initially.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • what happens if it reverts, reenters, or does other unusual control flow? N/A.

Zellic © 2025Back to top ↑