Summary

The L1Sender contract contains a vulnerability in the setRewardTokenConfig function, where the input newConfig_ struct is not adequately validated. This oversight allows all values within newConfig_ to be set to zero, including receiverChainId and receiver address. If receiverChainId is set to 0, it may cause issues in cross-chain communication, disrupting the intended functionality. Additionally, if the receiver address is set to zero, the sendMintMessage function will send funds to the zero address.

Vulnerability Details

The vulnerable code lies in the setRewardTokenConfig function, which allows an admin to update the configuration without proper validation. The newConfig_ struct includes the gateway, receiver, and receiverChainId parameters. Lack of validation opens up the possibility of setting receiverChainId to 0, potentially leading to cross-chain communication issues, and receiver to a zero address, resulting in fund loss.

Impact

Zero Receiver Address:

• If receiver is set to a zero address, the sendMintMessage function will send funds to the zero address. While Ethereum allows sending funds to the zero address, it's typically unintentional and results in irrecoverable fund loss.

Zero Chain ID:

• If receiverChainId is set to 0, it may cause disruptions in cross-chain communication. The send function from ILayerZeroEndpoint requires a valid chain ID, and a chain ID of 0 might lead to undefined behavior or issues in LayerZero communication.

POC

• Copy below test and run it via forge test --match-test testSetRewardTokenConfig -vvv

Test:

Result:

Recommendations

• Validate that receiver is not set to a zero address to prevent unintentional fund loss.

• Ensure that receiverChainId is a non-zero and valid chain ID to avoid disruptions in cross-chain communication.