MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

The function `sendMintMessage` should estimate fees to prevent failed transactions.

SanketKogekar

Vulnerability Details

The fees must be estimated prior to this function call to avoid transaction failures.

ILayerZeroEndpoint(config.gateway).send{value: msg.value}(
config.receiverChainId, // communicator LayerZero chainId
receiverAndSenderAddresses_, // send to this address to the communicator
payload_, // bytes payload
payable(refundTo_), // refund address
address(0x0), // future parameter
bytes("") // adapterParams (see "Advanced Features")
);

Clarify further from this issue: https://github.com/code-423n4/2022-05-velodrome-findings/issues/80

Impact

When sending a msg to the layer zero endpoint one must include enough gas for the transaction. The transaction will fail if enough gas is not provided. The sendMintMessage function contract allows the user to pass any value they want which might result in them sending not enough. Their transaction could fail.

To know how much you have to send there's the estimateFees() function as described here

Tools Used

Manual

Recommendations

Use the estimateFees() endpoint before LayerZero call.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

LayerZero Integration: `sendMintMessage` doesn't verify the `msg.value` sent by the user facilitating failed transactions.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.