Loss of tokens through fees when bridging assets
Summary
When bridging assets from Ethereum to Starknet, the protocol uses the Starknet L1 to L2 messaging protocol using sendMessageTol2function which charges fees. The fees is taken from the msg.value. Starknet has a given method of calculating this fee as seen here https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/#l1-l2-message-fees. Given this, the fees to be paid can be predetermined. However, the contract uses the entire msg.value sent by the user.
Therefore, excess amount of ether can be sent with the transaction and there is no mechanism to refund the excess eth to the user.
Vulnerability Details
The Bridge.solcontract calls sendMessageToL2function as seen below:
The function uses the entire msg.valuesent with the transaction and there is no mechanism to refund excess eth sent
Impact
Users will lose excess eth sent with this transaction to deposit tokens.
Tools Used
Recommendations
Consider calculating fees beforehand given that the method is defined in the starknet documentation and then use that value when calling the aforementioned function.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.