Submission Details
Severity:
L2MessageReceiver::_nonblockingLzReceive could allow minting to zero address if some special tokens are used
Summary
L2MessageReceiver::_nonblockingLzReceive doesnt have checks to prevent minting to zero address assuming this check will be performed by rewardToken, however some tokens dont perform this check leading to token burning
Vulnerability Details
L2MessageReceiver::_nonblockingLzReceive doesnt check for user != zero address, so, if some token like DAI is used as rewardToken then will lead to token burning
function _nonblockingLzReceive(
uint16 senderChainId_,
bytes memory senderAndReceiverAddresses_,
bytes memory payload_
) private {
//...
(address user_, uint256 amount_) = abi.decode(payload_, (address, uint256));
IMOR(rewardToken).mint(user_, amount_);
}
Dai minting code:
//https://raw.githubusercontent.com/makerdao/dss/master/src/dai.sol
function mint(address usr, uint wad) external auth {
balanceOf[usr] = add(balanceOf[usr], wad);
totalSupply = add(totalSupply, wad);
emit Transfer(address(0), usr, wad);
}
Leading to token burning
Impact
Token burning
Bad balance accounting
Tools Used
Manual review
Recommendations
Implement a zero address check on user parameter
function _nonblockingLzReceive(
uint16 senderChainId_,
bytes memory senderAndReceiverAddresses_,
bytes memory payload_
) private {
//...
(address user_, uint256 amount_) = abi.decode(payload_, (address, uint256));
require(user_ != address(0), "L1S: invalid user_");
IMOR(rewardToken).mint(user_, amount_);
}
Updates
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.