stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Possibility to miss setting up extraArgs

stoicov

Summary

extraArgsByChain in RESDLTokenBridge is not set upon construction but depends on owner to set it via the onlyOwner setExtraArgs method

Vulnerability Details

The extra arguments is the gaslimit used in ccip messages. As per Chainlink documentation if extra arguments are not set a default of 200_000 gas will be used. Because the gaslimit is not set upon construction there is a chance that the owner delays their setting for some reason or simply forgets, which means during that period of time in which gaslimit is not set ccipReceive on the destionation chain contract will use 200_000 gas. I believe this is worth mentioning because unspent gas is not refunded as per CCIP docs

Same thing goes for setRewardsExtraArgs and setUpdateExtraArgs in SDLPoolCCIPControllerPrimary.

Impact

Potential waste of gas.

Tools Used

Manual Review

Recommendations

Set extra arguments per chain upon construction. The onlyOwner method can be kept so arguments can have the functionality to be changed.

Updates

Lead Judging Commences

0kage Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.