stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Limited Cross-Chain Compatibility due to Ethereum-Specific Address Usage

ro1sharkm

Summary

The current implementation of Stake.link protocol uses Ethereum addresses (address type) to represent destinations for Cross-Chain Interoperability Protocol (CCIP) messages. This limits the protocol's compatibility with non-Ethereum Virtual Machine (EVM) chains such as Polkadot or Tron, potentially hindering interoperability.

Vulnerability Details

The identified vulnerability lies in the following code snippet:

function addWhitelistedChain(

uint64 _chainSelector,

address _destination,

bytes calldata _updateExtraArgs,

bytes calldata _rewardsExtraArgs

) external onlyOwner {

if (whitelistedDestinations[_chainSelector] != address(0)) revert AlreadyAdded();

if (_destination == address(0)) revert InvalidDestination();

whitelistedChains.push(_chainSelector);

whitelistedDestinations[_chainSelector] = _destination;

updateExtraArgsByChain[_chainSelector] = _updateExtraArgs;

rewardsExtraArgsByChain[_chainSelector] = _rewardsExtraArgs;

emit ChainAdded(_chainSelector, _destination, _updateExtraArgs, _rewardsExtraArgs);

}

The vulnerability stems from using Ethereum addresses for _destination, limiting the protocol's ability to support non-EVM addresses. Furthermore whitelistedDestinations mapping stores whitelisted addresses as address type

mapping(uint64 => address) public whitelistedDestinations;

Impact

The current implementation restricts the Stake.link protocol from seamlessly interacting with chains that employ address standards different from Ethereum's . This limitation impedes the protocol's goal of providing cross-chain functionality.

Tools Used

Manual Analysis

Recommendations

Adopt Flexible Address Handling that includes using string instead of address for destinations

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.