stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

WrappedTokenBridge is using Hardcoded `extraArgs`

chainnue

Summary

WrappedTokenBridge is using Hardcoded extraArgs which is not suitable for production

Vulnerability Details

based on chainlink docs, there is an exclamation mark saying this is important, not a suggestion

It also mentioned, for production, we need to make sure extraArgs is mutable not immutable or hardcoded value. This allows project to build it offchain and pass it in a call to a function or store it in a variable that can be update on-demand. The purpose of extraArgs is to allow compatibility with future CCIP upgrades.

File: WrappedTokenBridge.sol
219: Client.EVM2AnyMessage memory evm2AnyMessage = Client.EVM2AnyMessage({
220: receiver: abi.encode(_receiver),
221: data: "",
222: tokenAmounts: tokenAmounts,
223: extraArgs: "0x",
224: feeToken: _feeTokenAddress
225: });

Other contract do have a mutable extraArgs but only on WrappedTokenBridge it is hardcoded with 0x.

Impact

If Chainlink CCIP upgrade its contract and requiring specific value on extraArgs as mentioned in their docs, it would break the CCIP

Tools Used

Manual analysis

Recommendations

Make extraArgs in WrappedTokenBridge mutable just like other contract

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
0kage Lead Judge
over 1 year ago
0kage Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

hardcode-extraArgs

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.