stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

getFee hardcoded value will revert or lead to loss of user

saaj

Summary

getFee has hardcoded value which can lead to reverting of certain operations or loss to user.

Vulnerability Details

_buildCCIPMessage parameter _amount hardcoded value in function getFee will revert or cause a huge loss to caller as amount is 1000 ether.

Impact

getFee value for _buildCCIPMessage parameter _amount for token transfer is hardcoded with 1000 ether which can revert if sender has less than 1000 eth if paid in native or 1000 link if paid in LINK.
It will also cause loss to user if caller wallet has 1000 eth or Link as they will be charged for calling function onTokenTransfer that calls _transferTokens as it will call getFee.

Tools Used

Manual Analysis

Recommendations

The recommendation is made to input parameter that takes user defined value to avoid loss for user or failing of txn in case of insufficient balance.

- function getFee(uint64 _destinationChainSelector, bool _payNative) external view returns (uint256) {
+ function getFee(uint64 _destinationChainSelector, bool _payNative, uint256 amount) external view returns (uint256) {
Client.EVM2AnyMessage memory evm2AnyMessage = _buildCCIPMessage(
address(this),
- 1000 ether,
+ amount,
_payNative ? address(0) : address(linkToken)
);
return IRouterClient(this.getRouter()).getFee(_destinationChainSelector, evm2AnyMessage);
}
Updates

Lead Judging Commences

0kage Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
0kage Lead Judge
almost 2 years ago
0kage Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

1000 ether

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.