Incorrect input validation (68 not 36) in `L1Nullifier._parseL2WithdrawalMessage` for `IAssetRouterBase.finalizeDeposit` messages will `mload` from unpredictable values
Summary
The function L1Nullifier._parseL2WithdrawalMessage in the L1Nullifier.sol contract contains incorrect input validation on the bytes4(functionSignature) == IAssetRouterBase.finalizeDeposit.selector branch. The function checks if the length of _l2ToL1message is at least 36 bytes, but it should be checking for a minimum length of 68 bytes to ensure proper handling of IAssetRouterBase.finalizeDeposit messages.
Vulnerability Details
The current validation logic in L1Nullifier._parseL2WithdrawalMessage checks if the length of _l2ToL1message is less than 36 bytes and reverts if true. However, the IAssetRouterBase.finalizeDeposit messages require at least 68 bytes to be processed correctly. This discrepancy can lead to situations where the function attempts to read from uninitialized or unpredictable memory locations, potentially causing unexpected behavior.
Impact
The incorrect input validation can result in the function L1Nullifier._parseL2WithdrawalMessage attempting to mload from unpredictable values. This can lead to the transferData value being invalid.
Tools Used
Manual review
Recommendations
Update the input validation logic in L1Nullifier._parseL2WithdrawalMessage to check for a minimum length of 68 bytes instead of 36 bytes.
Lead Judging Commences
Inadequate length check for IAssetRouterBase.finalizeDeposit.Selector in function _parseL2WithdrawalMessage
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.