lzReceive function would revert when called by config.gateway because of wrong require statement
Summary
lzReceive function would revert when called by config.gateway because of wrong require statement
Vulnerability Details
Below is the require statement in lzReceive function:
require(_msgSender() == config.gateway, "L2MR: invalid gateway")
What the above means is, _msgSender() must be equal to config.gateway. However, the use of "_msgSender()" here is not correct. "_msgSender()" represents the owner of the contract - based on Openzeppelin's OwnableUpgradeable contract, version 4.9.2.
The package.json file of this contract shows that it uses version 4.9.2 of Openzeppelin's upgradeable contract.
"_msgSender()" is a function in ContextUpgradeable.sol inherited by OwnableUpgradeable contract. It returns the owner of a contract.
ContextUpgradeable.sol
function _msgSender() internal view virtual returns (address) {
return msg.sender;
}
OwnableUpgradeable.sol
function __Ownable_init() internal onlyInitializing {
__Ownable_init_unchained();
}
function __Ownable_init_unchained() internal onlyInitializing {
_transferOwnership(_msgSender());
}
The intention in the require statement is to make "config.gateway" the only caller of the lzReceive function. But based on the require statement, the lzReceive function would revert when called by "config.gateway".
Impact
lzReceive would revert when called by "config.gateway". Only the owner of the contract can call the function which is not intended.
Tools Used
Manual review
Recommendations
Use msg.sender instead of _msgSender():
require(msg.sender == config.gateway, "L2MR: invalid gateway")
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.