MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Do not hardcode `_zroPaymentAddress` field to `address(0)`

oualidpro

Summary

Do not hardcode _zroPaymentAddress field to address(0)

Vulnerability Details

When a user call the claim() to get its tokens,

function claim(uint256 poolId_, address user_) external payable poolExists(poolId_) {

Pool storage pool = pools[poolId_];

PoolData storage poolData = poolsData[poolId_];

UserData storage userData = usersData[user_][poolId_];

require(block.timestamp > pool.payoutStart + pool.claimLockPeriod, "DS: pool claim is locked");

uint256 currentPoolRate_ = _getCurrentPoolRate(poolId_);

uint256 pendingRewards_ = _getCurrentUserReward(currentPoolRate_, userData);

require(pendingRewards_ > 0, "DS: nothing to claim");

// Update pool data

poolData.lastUpdate = uint128(block.timestamp);

poolData.rate = currentPoolRate_;

// Update user data

userData.rate = currentPoolRate_;

userData.pendingRewards = 0;

// Transfer rewards

L1Sender(l1Sender).sendMintMessage{value: msg.value}(user_, pendingRewards_, _msgSender());

emit UserClaimed(poolId_, user_, pendingRewards_);

}

an external call is performed by the function to the sendMintMessage() function of the L1Sender contract.

function sendMintMessage(address user_, uint256 amount_, address refundTo_) external payable onlyDistribution {

RewardTokenConfig storage config = rewardTokenConfig;

bytes memory receiverAndSenderAddresses_ = abi.encodePacked(config.receiver, address(this));

bytes memory payload_ = abi.encode(user_, amount_);

ILayerZeroEndpoint(config.gateway).send{value: msg.value}(

config.receiverChainId, // communicator LayerZero chainId

receiverAndSenderAddresses_, // send to this address to the communicator

payload_, // bytes payload

payable(refundTo_), // refund address

address(0x0), // future parameter <== @audit

bytes("") // adapterParams (see "Advanced Features")

);

}

this function call also perform an external call to the layerzero function send() with the _zroPaymentAddress == address(0x0)

However, setting the _zroPaymentAddress field to a fixed value of address(0x0) eliminates the possibility for the protocol to adopt the ZRO token as a future fee payment method, particularly considering the potential launch of ZRO in the upcoming year.

For more details about this vulnerability, please take a look at the following links:
LayerZero Integration Checklist

Impact

Limiting the contract flexibility and may cause a DOS if the layerZer contract ever disallow payments others than ZRO token.

Tools Used

Manual audit

Recommendations

To enhance flexibility for future fee payments using ZRO tokens, it is advisable to pass the _zroPaymentAddress field as an input parameter.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

LayerZero Integration: Do not hardcode address zero (address(0)) as zroPaymentAddress

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.