Submission Details
Severity:
Hardcording of Layerzero parameters
Vulnerability Details
According to the Layerzero integration checklist, zroPaymentAddress and adapterParamers
should not be hardcoded in a Layerzero send operation, rather they should be passed as parameters to the function.
https://layerzero.gitbook.io/docs/troubleshooting/layerzero-integration-checklist
Impact
Not following Layerzero integration best practices
Tools Used
Manual Analysis
Recommendations
Pass the zroPaymentAddress and adapterParamers as parameters rather than hardcoding them
- function sendMintMessage(address user_, uint256 amount_, address refundTo_) external payable onlyDistribution {
+ function sendMintMessage(address user_, uint256 amount_, address refundTo_, address _zroPaymentAddress, bytes memory _adapterParamers) external payable onlyDistribution {
RewardTokenConfig storage config = rewardTokenConfig;
bytes memory receiverAndSenderAddresses_ = abi.encodePacked(config.receiver, address(this));
bytes memory payload_ = abi.encode(user_, amount_);
ILayerZeroEndpoint(config.gateway).send{value: msg.value}(
config.receiverChainId, // communicator LayerZero chainId
receiverAndSenderAddresses_, // send to this address to the communicator
payload_, // bytes payload
payable(refundTo_), // refund address
- address(0x0), // future parameter
+ _zroPaymentAddress,
- bytes("") // adapterParams (see "Advanced Features")
+ _adapterParamers
);
}
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
LayerZero Integration: Do not hardcode address zero (address(0)) as zroPaymentAddress
LayerZero Integration: Do not hardcode zero bytes (bytes(0)) as adapterParamers.
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.