MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

L1Sender::sendMintMessage lack of refundTo_ address check allows to burn ETH forever

cryptonoob

Summary

L1Sender::sendMintMessage allows to burn ETH via refundTo_ parameter making impossible to recover it.
Setting refundTo_ parameter to Zero Address will burn ETH forever

Vulnerability Details

The vulnerability exists in L1Sender::sendMintMessage method. It doesnt check refundTo_ parameter
If zero address is used then all the gas not used will be burned

function sendMintMessage(address user_, uint256 amount_, address refundTo_) external payable onlyDistribution {

// ...

ILayerZeroEndpoint(config.gateway).send{value: msg.value}(

config.receiverChainId,

receiverAndSenderAddresses_,

payload_, // <& NO ZERO ADDRESS CHECK, so gas remaining ETH will be burned

payable(refundTo_),

//...

Impact

All remainig eth used in the function call will be burned forever, and wont be able to recover.
To show this add the following test case in test/L1Sender.test.ts file, under the sendMintMessage section:

describe('sendMintMessage', () => {

it('should send mint message2', async () => {

console.log("OWNER BEFORE",await ethers.provider.getBalance(OWNER.address));

console.log("ZERO_ADDR BEFORE",await ethers.provider.getBalance(ZERO_ADDR));

await l1Sender.sendMintMessage(SECOND, '999', ZERO_ADDR, { value: ethers.parseEther('0.1') });

console.log("OWNER ETH BALANCE AFTER",await ethers.provider.getBalance(OWNER.address));

console.log("ZERO_ADDR AFTER",await ethers.provider.getBalance(ZERO_ADDR));

expect(await rewardToken.balanceOf(SECOND)).to.eq('999');

});

Observe the remaining eth is transfered to Zero address

Tools Used

Manual review

Recommendations

Implement a zero address check on L1Sender::sendMintMessage

function sendMintMessage(address user_, uint256 amount_, address refundTo_) external payable onlyDistribution {

require(refundTo_ != address(0), "L1S: invalid refundTo_");

// ...

ILayerZeroEndpoint(config.gateway).send{value: msg.value}(

config.receiverChainId,

receiverAndSenderAddresses_,

payload_, // <& NO ZERO ADDRESS CHECK, so gas remaining ETH will be burned

payable(refundTo_),

//...

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.