Submission Details
Severity:
Do not hardcode `adapterParamers` to `bytes("")`
Summary
Do not hardcode adapterParamers to bytes("")
Vulnerability Details
When claiming the rewards, the function sendMintMessage perfom an external call using a hardcoded value of adapterParamers.
function sendMintMessage(address user_, uint256 amount_, address refundTo_) external payable onlyDistribution {
RewardTokenConfig storage config = rewardTokenConfig;
bytes memory receiverAndSenderAddresses_ = abi.encodePacked(config.receiver, address(this));
bytes memory payload_ = abi.encode(user_, amount_);
ILayerZeroEndpoint(config.gateway).send{value: msg.value}(
config.receiverChainId, // communicator LayerZero chainId
receiverAndSenderAddresses_, // send to this address to the communicator
payload_, // bytes payload
payable(refundTo_), // refund address
address(0x0), // future parameter
bytes("") // adapterParams (see "Advanced Features") <== @audit
);
}
According to the Layerzero Integration Documentation, this field should not be hardcoded.
Do not hardcode zero bytes (bytes(0)) as adapterParamers. Pass them as a parameter instead.
Impact
If for any reason the field adapterParamers become required, then the contract will not function correctly.
Tools Used
Manual audit
Recommendations
For more flexibility pass the adapterParamers as a parameter
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
LayerZero Integration: Do not hardcode zero bytes (bytes(0)) as adapterParamers.
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.