-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fees not integrated with LayerZero functions #851
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-a
low quality report
This report is of especially low quality
Q-10
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Comments
c4-submissions
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Oct 6, 2023
0xA5DF marked the issue as duplicate of #785 |
0xA5DF marked the issue as low quality report |
c4-pre-sort
added
the
low quality report
This report is of especially low quality
label
Oct 12, 2023
Identified only part of the issue, partial credit imo |
alcueca marked the issue as not a duplicate |
As presented, it only impacts the user calling the function, and the only loss is gas |
c4-judge
added
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
and removed
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
labels
Oct 22, 2023
alcueca changed the severity to QA (Quality Assurance) |
alcueca marked the issue as grade-a |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-a
low quality report
This report is of especially low quality
Q-10
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchBridgeAgent.sol#L180-L336
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgent.sol#L160-L344
Vulnerability details
Impact
LayerZero requires a fee to be paid to process transactions successfully.
If a user doesn't include enough eth for the gas, the transaction will fail, that's why an
estimatefee
function is available on the layerZero Endpoint address.However no check is done to prevent users from sending insufficient eth with transactions. This causes an issue as transactions will fail on the LayerZero layer since execution will run out of gas
Proof of Concept
As we can see, estimatefee is not checked at all. It also is not checked in
_performCall
Tools Used
Manual Review, LayerZero Docs
Recommended Mitigation Steps
Get the estimated native fees for a transaction of a particular
payload
using `estimateFees(), and check against the current
msg.value`` to ensure that it is enough.Assessed type
Error
The text was updated successfully, but these errors were encountered: