Lack of Fee Refund Mechanism in `depositTokens` Function of L1->L2 Bridge
Summary
The depositTokens function in the L1 to L2 bridge contract does not implement any mechanism to refund excess msg.value if a user sends more than the fixed fee.
Vulnerability Details
The depositTokens function allows users to send ether (msg.value) along with their transaction. This ether is intended to cover the fee for sending a message from the L1 contract to the L2 contract. However, the contract lacks logic to enforce that msg.value equals the fixed fee or to refund any excess value provided by the user.
The entire amount of ether sent by the user (msg.value) is used to cover the messaging fee when calling the sendMessageToL2 function in the StarknetCore contract.
If a user sends more ether than the fixed fee, the excess is not refunded. The contract does not calculate the difference between the fee and the provided msg.value or handle any refunds.
Impact
Since there is no refund mechanism, the excess ether remains locked in the Starknet Core contract without any means for users to reclaim it.
Tools Used
Manual Review
Recommendations
Implement Refund Logic for Excess Payment
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.