Some functionalities of LayerZero are not available while sending mint message.
Summary
Some functionalities of LayerZero are not available while sending mint message.
Vulnerability Details
When users call claim() function of Distribution.sol to claim MOR tokens, the claim function calls sendMintMessage() of L1sender.sol. It then calls .send() of LayerZeroEndpoint to send a message.
But while calling .send, some parameters are hardcoded to zero or null.
The parameters _zroPaymentAddress and _adapterParams are set to address(0x0) and bytes("") respectively. But, as per the LayerZero Integration_checklist this should be avoided and these parameters _zroPaymentAddress and _adapterParams values should be passed as a parameter instead.
Impact
This doesn't follow the LayerZero integration checklist and also hardcoding _adapterParams to bytes("") prevents from receiving airdropped native gas from the relayer on destination and hardcoding _zroPaymentAddress to address(0x0) prevents the the ZRO token holder to pay for the transaction
Tools Used
Manual Analysis
Recommendations
Values of _zroPaymentAddress and _adapterParams should be passed as a parameter instead.
Lead Judging Commences
LayerZero Integration: Do not hardcode address zero (address(0)) as zroPaymentAddress
LayerZero Integration: Do not hardcode zero bytes (bytes(0)) as adapterParamers.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.