Relayer Address Not Appended as Described in executeMetaTransaction
Summary
The documentation within the NativeMetaTransaction contract states that both the userAddress and relayerAddress should be appended to the functionSignature during the meta-transaction execution. However, the actual implementation of the executeMetaTransaction function only appends the userAddress and not the relayerAddress. This discrepancy between the comment and the code may result in confusion or incorrect expectations during function execution.
Vulnerability Details
Here is the comment:
https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/meta-transaction/NativeMetaTransaction.sol#L61
The comment explicitly mentions appending both the userAddress and relayerAddress, but the code only appends userAddress. This could create confusion about how the relayer is being handled and whether the relayer's information is properly included in the transaction context.
Impact
It could create tracking issues if external systems are built to extract and rely on the relayer address from the function signature.
Tools Used
Manual review
Recommendations
The code should be updated to append both the userAddress and the relayerAddress as indicated by the comment or the comment should be revised to accurately reflect the current behavior of the code. This ensures that the documentation aligns with the actual code logic preventing confusion for developers and auditors.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.