Submission Details
Severity:
Do not hardcode address zero (address(0)) as `zroPaymentAddress
Summary
When calling the LayerZero endpoint zroPaymentAddress should not be hardcoded. If LayerZero decides to release a token in the future users will never be able to use ZRO or whatever the hypothetical tokens symbol is, in order to pay for the transaction fee.
Vulnerability Details
ILayerZeroEndpoint(config.gateway).send{value: msg.value}(
config.receiverChainId, // communicator LayerZero chainId
receiverAndSenderAddresses_, // send to this address to the communicator
payload_, // bytes payload
payable(refundTo_), // refund address
address(0x0), // future parameter
bytes("") // adapterParams (see "Advanced Features")
);
Impact
By hardcoding this address when layerZero releases a token in the future the contract won't be able to pay for the fee in ZRO token as this will be hardcoded to the address(0).
Tools Used
Manual
Recommendations
Consider passing this as a parameter to the function so that later on you can update this if you choose to use ZRO tokens.
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
LayerZero Integration: Do not hardcode address zero (address(0)) as zroPaymentAddress
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.