ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

addMessageHashForAutoWithdraw()::Messaging.sol shouldn't be payable

0xziin

Summary

addMessageHashForAutoWithdraw()::Messaging.sol shouldn't be payable since it doesn't require sending any native tokens to work.

Vulnerability Details

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/ethereum/src/Messaging.sol#L46-L61

/**
@notice Adds the hash of a message that can be consumed with the auto
method.
@param msgHash Hash of the message to be considered as consumable.
*/
function addMessageHashForAutoWithdraw(
uint256 msgHash
)
external
payable
onlyOwner
{
bytes32 hash = bytes32(msgHash);
if (_autoWithdrawn[hash] != WITHDRAW_AUTO_NONE) {
revert WithdrawMethodError();
}
_autoWithdrawn[hash] = WITHDRAW_AUTO_READY;
emit MessageHashAutoWithdrawAdded(hash);
}

If there are native tokens sent by mistake they won't be recoverable. This function doesn't need to be (and should not be) payable since it doesn't require sending any native tokens to work.

Impact

Possible loss of funds.

Tools Used

Github, VisualCode.

Recommendations

Remove payable from the function so it won't allow sending native tokens by error.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.