Hardcoded '_zroPaymentAddress' field to 'address(0)' disallows future ZRO fee payments and allows the possibility of L1Sender.sol falling apart in case LayerZero makes breaking changes
Summary
Hardcoding the _zroPaymentAddress in the L1Sender::sendMintMessage function disallows the protocol from using ZRO token as a fee payment option furthermore if any updates are made by the LayerZero team then there are possibilities for the protocol's core functionality breaking down.
Vulnerability Details
The following line of code is responsible.
LayerZero team has provided an integration checklist To ensure smooth integration and maximum flexibility.
https://layerzero.gitbook.io/docs/troubleshooting/layerzero-integration-checklist
See point 5 in the checklist:
Currently the protocol is not following the checklist defined by LayerZero team according to point 5.
Impact
User's will not be allowed to use ZRO tokens as fee payments and there are chances for the core functionality of the protocol to break down if LayerZero makes changes which breaks the protocol's functionality. Therefore a checklist has been provided by the LayerZero Team.
Tools Used
Manual Review, Solodit
Recommendations
Consider passing _zroPaymentAddress field as an input parameter to allow flexibility of future fee payments using ZRO tokens as mentioned in the checklist.
Lead Judging Commences
LayerZero Integration: Do not hardcode address zero (address(0)) as zroPaymentAddress
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.