Powerful Honeysuckle Anteater
Medium
_lzReceive in GlobalVariables, is setting the refund address to itself, but there is no way to recover the refunded funds
The _lzReceive() function in GlobalVariables.sol is intended to receive cross-chain responses and send requested funds. However, the refund address for the send-back operation is set to the GlobalVariables contract itself, leaving no mechanism to retrieve the refunded funds.
The refund address for .send() operations is set to a contract that cannot retrieve the refunded funds. References where the refund address is set to GlobalVariables.sol.
IOFT(assetAddress).send{value: _fee.nativeFee}( _sendParam,_fee,address(this));usda.send{value: _fee.nativeFee}(_sendParam, _fee, address(this));- During normal operations, assets need to be transferred cross-chain.
- The chain processing the request sends the funds back via the
_lzReceive()function inGlobalVariables.sol. - The address for excess fee refunds is set to the GlobalVariables contract itself, which lacks a mechanism to withdraw the funds.
- Refunded fee funds become stuck in the contract and can accumulate to a significant amount, making them permanently inaccessible.
Either change the refund address to an accessible address or add a withdrawal mechanism to the contract.