CodeDesignz - [M-1] L1CrossDomainMessenger::_sendNativeTokenMessage has no check for _amount value 0, resulting in the relayMessage to trigger even for the 0 value
#68
Comments
sherlock-admin4
changed the title
L1CrossDomainMessenger::_sendNativeTokenMessage has no check for _amount value 0, resulting in the relayMessage to trigger even for the 0 valueL1CrossDomainMessenger::_sendNativeTokenMessage has no check for _amount value 0, resulting in the relayMessage to trigger even for the 0 value
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CodeDesignz
Medium
[M-1]
L1CrossDomainMessenger::_sendNativeTokenMessagehas no check for_amountvalue 0, resulting in therelayMessageto trigger even for the 0 valueSummary
L1CrossDomainMessenger::_sendNativeTokenMessagehas no check for_amountvalue 0, resulting in therelayMessageto trigger even for the 0 value. This means than the function call will not fail even when theamountis zero in the call.Root Cause
There is a missing check for when
_amountis equal to0inL1CrossDomainMessenger::_sendNativeTokenMessagefunction.https://github.com/sherlock-audit/2024-08-tokamak-network/blob/main/tokamak-thanos/packages/tokamak/contracts-bedrock/src/L1/L1CrossDomainMessenger.sol#L191
Internal pre-conditions
L1StandardBridge::_initiateBridgeNativeTokenis initated with 0 value for the native token amount.sendNativeTokenMessagefunction is invoked onL1CrossDomainMessengerwhich in turn calls_sendNativeTokenMessagefunction._sendNativeTokenMessagetriggers_sendMessagewhich emits theSentMessageandSentMessageExtension1events. Thoughout this chain, we are not checking if the amount is equal to 0. This results in the event emitted for the zero value as well.External pre-conditions
No response
Attack Path
No response
Impact
The users will be able to trigger native token calls with zero token amount as well.
PoC
No response
Mitigation
Add a conditional to handle the case when
_amountis equal to0. For example, if a revert is to be expected, than and else clause can be added to to theL1CrossDomainMessenger::_sendNativeTokenMessagefunction.{ // Collect native token if (_amount > 0) { address _nativeTokenAddress = nativeTokenAddress(); IERC20(_nativeTokenAddress).safeTransferFrom(_sender, address(this), _amount); IERC20(_nativeTokenAddress).approve(address(portal), _amount); } + else { + revert("Native Token amount should be greater than 0") + } // Triggers a message to the other messenger. Note that the amount of gas provided to the // message is the amount of gas requested by the user PLUS the base gas value. We want to // guarantee the property that the call to the target contract will always have at least // the minimum gas limit specified by the user. _sendMessage( address(otherMessenger), baseGas(_message, _minGasLimit), _amount, abi.encodeWithSelector( this.relayMessage.selector, messageNonce(), _sender, _target, _amount, _minGasLimit, _message ) );The text was updated successfully, but these errors were encountered: