Maximum Payload Length Check Vulnerability
Summary
The depositTokens function in the Starklane contract in Bridge.sol does not correctly handle payloads that exceed the MAX_PAYLOAD_LENGTH limit, allowing for potential exploitation or rejection of legitimate transactions.
Vulnerability Details
In the depositTokens function, after serializing the request data into a payload, the function checks if the payload length is greater than or equal to MAX_PAYLOAD_LENGTH. If it is, the function reverts with a TooManyTokensError. However, this check is problematic because:
The condition checks for
>= MAX_PAYLOAD_LENGTHinstead of> MAX_PAYLOAD_LENGTH. This could lead to valid requests being rejected if they exactly meet theMAX_PAYLOAD_LENGTHthreshold.The threshold value (
MAX_PAYLOAD_LENGTH) is hardcoded and does not account for varying requirements or potential changes.
Impact
Legitimate Transactions Rejected: Requests that have payloads exactly equal to
MAX_PAYLOAD_LENGTHwill be incorrectly rejected, affecting the functionality of the contract and potentially leading to denial of service for users.
Potential Exploitation: The rigid payload size limit could be exploited to prevent certain transactions, depending on how the payload size is handled in practice.
Tools Used
Manual Review
Recommendations
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.