First Flight #4: Boss Bridge
First Flight #4
Beginner FriendlyFoundryBridge
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

missing zero address validation

imth3ak

Summary

The code decodes a message and sends Ether to a target address without checking if it is zero.

Vulnerability Details

This could allow an attacker to create a fake signed message that instructs the contract to send Ether to the zero address, which is irreversible and wasteful.

(address target, uint256 value, bytes memory data) = abi.decode(message, (address, uint256, bytes));
(bool success,) = target.call{ value: value }(data);

Impact

The impact of this vulnerability is that the code could send Ether to the zero address, which is a special address that represents the null pointer or an uninitialized variable. Sending Ether to the zero address is equivalent to burning it, as it can never be recovered or spent by anyone. This could result in a loss of funds for the contract and the users.

Tools Used

  • slither

Recommendations

you should check that the address is not zero before sending Ether.

(address target, uint256 value, bytes memory data) = abi.decode(message, (address, uint256, bytes));
// Check that the target is not zero
require(target != address(0), "L1BossBridge__ZeroAddress");
(bool success,) = target.call{ value: value }(data);
Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.