Closed code423n4 closed 2 years ago
Issue is correct, but
This is a known issue was explicitly stated in the README under https://github.com/code-423n4/2022-02-skale#known-issues
I fail to understand why this would actually cause issues, if the call reverts no state changes would happen.
Additionally, as the issue was marked out of scope in the readme, am going to mark this finding invalid
Lines of code
https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/Messages.sol#L515-L529
Vulnerability details
Impact
In the event of user error while making the calldata for encodeTransferErc1155BatchMessage, where the size of the arrays of ids and amounts donot match, the message will get encoded due to no input validation, however the transfer will fail at the other end of the bridge, resulting in the tokens getting stuck in the protocol.
Applies also to encodeTransferErc1155BatchAndTokenInfoMessage
These underlying functions are called in below contracts
Proof of Concept
Contract : Messages.sol Line : 515 - There is no check for array length match for ids and amounts.
Recommended Mitigation Steps
Check if the array length of ids and amounts are same during encoding and decoding of the Erc1155BatchMessage.