`L2MessageReceiver` contract: changing `config.sender` address will result in stuck minting messages
Summary
L2MessageReceiver contract: changing config.sender address will result in stuck minting messages.
Vulnerability Details
-
The
L1Sendercontract is responsible of managing and redirecting calls from L1 to L2 gateways. -
The
Distributioncontract will call theL1Sendercontract when the stakers of pools claim their rewards viaDistribution.claimfunction, where a mint message is going to be sent to theL2MessageReceivercontract on Arbitrum chain, and this operation is done via the layer zero endpoint on the Ethereum chain (viasendfunction implemented by the layer zero endpoint)://@@notice : from L1Sender.sendMintMessage functionbytes memory receiverAndSenderAddresses_ = abi.encodePacked(config.receiver, address(this));bytes memory payload_ = abi.encode(user_, amount_);ILayerZeroEndpoint(config.gateway).send{value: msg.value}(config.receiverChainId, // communicator LayerZero chainIdreceiverAndSenderAddresses_, // send to this address to the communicatorpayload_, // bytes payloadpayable(refundTo_), // refund addressaddress(0x0), // future parameterbytes("") // adapterParams (see "Advanced Features")); -
The mint message is going to be received and executed by the
L2MessageReceivercontract on Arbitrum; where it will check if the sender of the lz message is the authorizedL1Sendercontract address before minting theMORtokens to the claimer address://@@notice : from L2MessageReceiver._nonblockingLzReceive functionassembly {sender_ := mload(add(senderAndReceiverAddresses_, 20))}require(sender_ == config.sender, "L2MR: invalid sender address"); -
So as can be noticed: the
config.receiverinL1Sendercontract should be theconfig.senderin theL2MessageReceivercontract as theL2MessageReceiver._nonblockingLzReceivefunction will extract the first encoded address from thesenderAndReceiverAddresses_argument. -
Knowing that the
L2MessageReceiverimplements a non-blocking receive mechanism, where any failed mint messages are catched and saved in theL2MessageReceivercontract so that they can be executed later:
if the admin of theL2MessageReceivercontract changes theconfig.senderaddress; this will result in failed messages to never be executed as the aforementioned check on the sender address will revert.
Impact
This will result in users losing their entitled rewards, as the Distribution contract will reset their uncalimed rewards to zero when they claim them, optimistically assuming that their rewards will be successfully minted on L2, and the L2MessageReceiver will never be able to execute their failed rewards minting.
Proof of Concept
L1Sender.sendMintMessage function/ L127-L137
L2MessageReceiver._nonblockingLzReceive function/ L97-L101
L2MessageReceiver.setParams function
Tools Used
Manual Review.
Recommendations
In L2MessageReceiver contract : add a mechanism to cache the config.sender address for the failed messages so that they can be executed later even if the config.sender address is changed.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.