stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: low
Invalid

Return value of getFee function is not checked

Vulnerability Details

According to CCIP docs at :

https://docs.chain.link/ccip/api-reference/i-router-client#getfee
getFee() would return 0 for invalid messages but the return value of the function is never checked throughout the protocol . We can see it in WrappedTokenBridge.sol at:
https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/ccip/WrappedTokenBridge.sol#L177

uint256 fees = router.getFee(_destinationChainSelector, evm2AnyMessage);

and can also be seen in the mentioned links provided.

Impact

Could cause unexpected Errors for Invalid Messages

Tools Used

Manual Review, CCIP Docs

Recommendations

Check whether fees returned from getFee() is 0 or not.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.