The onTokenTransfer function is designed to handle the receipt of tokens that are to be wrapped and transferred to another chain. However, the function does not validate the _receiver address extracted from the encoded calldata. This could result in tokens being wrapped and transferred to an invalid address (e.g., the zero address), leading to a loss of funds.
If the _receiver address is not validated and a zero address or another invalid address is provided, the tokens could be permanently locked or sent to an unrecoverable address upon execution of a cross-chain transfer.
To verify this bug, one can simulate a call to the onTokenTransfer function with calldata that encodes a zero address as the receiver. The expected result is that the function should revert, but due to the lack of validation, the function would proceed, leading to the wrapping and initiation of a transfer to an invalid address.
// Simulate a call to onTokenTransfer with a zero receiver address
function testOnTokenTransferWithZeroAddress() external {
// Assume the contract is already deployed with appropriate token addresses
WrappedTokenBridge bridge = WrappedTokenBridge(deployedAddress);
// Encode calldata with a zero receiver address
bytes memory data = abi.encode(uint64(destinationChain), address(0), uint256(maxLINKFee));
// Call onTokenTransfer with the zero receiver address encoded in calldata
// This should fail, but due to the bug, it will not
bridge.onTokenTransfer(senderAddress, tokenAmount, data);
// If the call does not revert, the bug is confirmed
}
Add a validation check in the onTokenTransfer function to ensure that the _receiver address is a non-zero address. This can be done by adding a simple require statement:
require(receiver != address(0), "InvalidReceiver");
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.