MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

config.gateway cannot be the same as layerZeroEndpoint address

kodyvim

Summary

config.gateway is interchangeably used as layerZero endpoint.

Vulnerability Details

The gateway address is also used interchangably used as layerZeroEndpoint address in multiple instances.
This would result in reverts when calling the layerzero endpoint due to wrong implementation.
from the interface:
https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/interfaces/IL1Sender.sol#L24

struct RewardTokenConfig {
address gateway;//<@
address receiver;
uint16 receiverChainId;
}

gateway is the address of token's gateway.
https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/L1Sender.sol#L114

IGatewayRouter(config.gateway).outboundTransfer{value: msg.value}(
config.token,
config.receiver,
amount_,
gasLimit_,
maxFeePerGas_,
data_
);

https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/L1Sender.sol#L130

ILayerZeroEndpoint(config.gateway).send{value: msg.value}(
config.receiverChainId, // communicator LayerZero chainId
receiverAndSenderAddresses_, // send to this address to the communicator
payload_, // bytes payload
payable(refundTo_), // refund address
address(0x0), // future parameter
bytes("") // adapterParams (see "Advanced Features")
);

This is also used as the layerZeroEndpoint address which would always revert due to mismatched implementation.

Impact

Cross-chain functionality would revert due to mismatch implementation

Tools Used

Manual Review

Recommendations

The config.gateway should be different from layerZero endpoint address.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.