sendDepositToken() / sendMintMessage() may block LayerZero channel due to missing check of minimum gas passed
Summary
Vulnerability Details
Accrording to Layer Zero Doc, smart contract must be written to estimate cross-chain fees.In integration checklist also mention that since LayerZero delivers the destination transaction when a message is sent it must pay for that destination gas. A default of 200,000 gas is priced into the call for simplicity.
Currently, there is no check on the minimum limit for gas fees or use estimateFee() to get message fees .
Accrording to Readme information, these contracts will also works with Arbitrum.
Arbitrum that has a totally different gas model than Ethereum.
Differences are summarized in the following article: https://docs.arbitrum.io/devs-how-tos/how-to-estimate-gas.
As an example even a simple approve transaction requires large gas on Arbitrum: https://arbiscan.io/tx/0x04f97a39c6d03029518d1953226b343555ea585d2064a24a767155a548b0665e.
Impact
missing check of minimum gas, sendDepositToken() / sendMintMessage() often fails.
Tools Used
Recommendations
Dynamically get fees, refer this Doc,and use estimateFees() returns the fees for the message
Lead Judging Commences
LayerZero Integration: `sendMintMessage` doesn't verify the `msg.value` sent by the user facilitating failed transactions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.