Lack of Minimum Fee Check in `depositTokens` Function Allows Underfunded Messages to `Starknet`
Vulnerability Details
The depositTokens function in Bridge.sol sends messages from Ethereum to Starknet using the sendMessageToL2 function of the StarknetMessaging contract.
The function does not explicitly check whether msg.value is at least 20,000 wei before calling the sendMessageToL2 function. If msg.value is less than 20,000 wei, the StarknetMessaging contract may not process the message correctly.
According to cairo docs:
It's important to note that we have {value: msg.value}. In fact, the minimum value we've to send here is 20k wei, due to the fact that the StarknetMessaging contract will register the hash of our message in the storage of Ethereum.
Recommendations
Add a check to ensure that msg.value is at least 20,000 wei before calling the sendMessageToL2 function. If msg.value is below this threshold, revert the transaction to prevent underfunded message submissions
Lead Judging Commences
finding-not-enough-fee-can-block-NFT
Impact: Medium/High. Need an admin to start a cancellation and wait for 5 days once done. DoS > 5 days. Likelyhood: Low. Everytime a wallet/or a user do not send enough gas
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.