Improper 2nd argument value passed in onlyAllowlisted modifier from _ccipReceive function
Summary
onlyAllowlisted modifier checks whether request sender address is whitelisted.
Vulnerability Details
KittyBridge addresses will be whitelisted in variable allowlistedSenders. But msg.sender (which is router address) is passed in modifier "onlyAllowlisted()" from _ccipReceive functions. Ideally the 2nd parameter should be - abi.decode(any2EvmMessage.sender, (address))
Impact
_ccipReceive() function will revert as router address will not be whitelisted(stored in allowlistedSenders variable). Iit will be a risky move if owner adds router address in allowlistedSenders variable to make this function work. If owner does this, then any contract can call this function coming through chain router as there will be single router for entire chain.
Tools Used
VS code
Recommendations
Under function _ccipReceive() - the 2nd parameter in modifier onlyAllowlisted() should be updated from msg.sender to abi.decode(any2EvmMessage.sender, (address))
Lead Judging Commences
`onlyAllowlisted` modifier is not properly implemented in case of _ccipReceive
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.