search

TangibleTNFT / ustb

MIT License
0 stars 1 forks source link

[LZR-01C] Cross-Chain Amount Truncation #7

Open dkuppitz opened 1 year ago

dkuppitz commented 1 year ago

LZR-01C: Cross-Chain Amount Truncation

Type Severity Location
Code Style LayerZeroRebaseTokenUpgradeable.sol:L154, L159

Description:

The SendToChain event's amount emitted during the LayerZeroRebaseTokenUpgradeable::_send function may not be equal to the actual amount transferred by the function due to potential truncation in the LayerZeroRebaseTokenUpgradeable::_debitFrom function.

Impact:

In contrast to the EIP-20 related exhibit, this one relates to a custom event and thus is of minimal impact.

Example:

Message memory message = Message({
    shares: _debitFrom(from, dstChainId, toAddress, amount),
    rebaseIndex: rebaseIndex(),
    nonce: _rebaseNonce()
});

emit SendToChain(dstChainId, from, toAddress, amount);

Recommendation:

We advise the amount value emitted in the SendToChain event within LayerZeroRebaseTokenUpgradeable::_send to be set to the message.shares.toTokens(message.rebaseIndex) value, ensuring that the amount emitted matches the actual one transferred by the cross-chain transfer.

dkuppitz commented 1 year ago

Resolved in 33a61b328dc5075dce8048edb4b69182a2c41f48.