stake.link

Summary

The WrappedTokenBridge.sol contract contains a potential vulnerability in the onTokenTransfer function, where it fails to validate the _sender address for the zero address. This oversight may result in reverting the transfer, but the subsequent event emitted at the end of the _transferTokens function could log inaccurate data, including the zero address as the sender.

Vulnerability Details

The vulnerability lies in the onTokenTransfer function, which does not perform a zero address check on the _sender parameter before calling the _transferTokens function. This oversight may lead to a situation where the transfer reverts due to an invalid sender address, but the subsequent event emission incorrectly logs the zero address as the sender.

Impact

The potential impact of this vulnerability includes:

1. Loss of Information: The event logs may contain inaccurate data, with the zero address erroneously recorded as the sender in TokensTransferred events.

2. Reduced User Experience: Users relying on event logs to track token transfers or protocol activity may experience confusion and difficulties in identifying the actual senders of transactions.

3. Debugging Challenges: Developers and auditors reviewing the contract may face challenges in debugging and auditing due to inaccurate event logs.

Tools Used

Manual review.

Recommendations

To address this vulnerability, the following recommendations are provided:

Validate _sender for Zero Address: In the onTokenTransfer function, implement a check to ensure that the _sender parameter is a valid, non-zero address before proceeding with the _transferTokens function. This validation can help prevent reverting transactions due to an invalid sender.