SDLPoolCCIPControllerPrimary.sol Validation Concern
Summary
This report focuses on a validation issue in the SDLPoolCCIPControllerPrimary.sol smart contract, identified in the handleIncomingRESDL function. The concern revolves around the absence of a validity check for _sourceChainSelector.
Vulnerability Details
In SDLPoolCCIPControllerPrimary.sol:131, the function handleIncomingRESDL lacks a validation check for _sourceChainSelector. This parameter is used directly in the function without verifying its legitimacy or existence within the context of the contract's logic, particularly in relation to the reSDLSupplyByChain.
Impact
Since it this _sourceChainSelector ultimately comes from the CCIP message the bridge receives the chances of it being maliciously used are low.
Tools Used
Manual Review
Recommendations
To mitigate these risks, the following actions are recommended:
-
Implement Validity Check: Before proceeding with any operations in
handleIncomingRESDL, add a check to ensure_sourceChainSelectoris valid. This could involve verifying its existence in a list of valid chain selectors or checking against other relevant criteria. -
Revert on Invalid Input: If the
_sourceChainSelectoris found to be invalid, the function should revert the transaction to prevent any unintended state changes.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.