Open c4-bot-9 opened 5 months ago
dmvt marked the issue as primary issue
0xRektora (sponsor) confirmed
dmvt marked the issue as satisfactory
dmvt marked the issue as selected for report
0xRektora (sponsor) disputed
0xRektora (sponsor) confirmed
0xRektora marked the issue as disagree with severity
@dmvt It should be a QA. The fee is computed off-chain, and will account for any price changes. Even if we implemented the proposed mitigation, at the end it's at the source chain that the necessary amount needs to be computed.
Agreed
dmvt changed the severity to QA (Quality Assurance)
dmvt marked the issue as grade-a
dmvt marked the issue as not selected for report
Lines of code
https://github.com/Tapioca-DAO/tap-token/blob/050e666142e61018dbfcba64d295f9c458c69700/contracts/tokens/TapTokenReceiver.sol#L194-L196
Vulnerability details
Impact
Network or Config changes can cause
fee.nativeFee
to be insufficient, making xChain Messages revert indefinitely.These fees could change, meaning that some messages could fail to be relayed for
sendParam.fee.nativeFee
Code Snippet
https://github.com/Tapioca-DAO/tap-token/blob/050e666142e61018dbfcba64d295f9c458c69700/contracts/tokens/TapTokenReceiver.sol#L194-L196
For messages for which the Computed Fee on
srcChain
ends up being different from the required fee ondstChain
, messages may fail due to insufficient feeBecause fees are hardcoded on the
srcChain
call, any change in the fee will cause the messages to be stuck indefinitelyPOC
setMessagingFee
L0 Code
Following the L0 V2 docs: https://layerzero.gitbook.io/docs/evm-guides/contract-standards/estimating-message-fees
We can check a basic version of how messages can be priced (hardcoded values)
https://github.com/LayerZero-Labs/LayerZero-v2/blob/142846c3d6d51e3c2a0852c41b4c2b63fcda5a0a/protocol/contracts/messagelib/SimpleMessageLib.sol#L71-L92
And a more realistic example, in which prices are based on a premium of gas used + a variable cost due to network costs
https://github.com/LayerZero-Labs/LayerZero-v2/blob/142846c3d6d51e3c2a0852c41b4c2b63fcda5a0a/messagelib/contracts/ExecutorFeeLib.sol#L106-L175
You can see the Price Feed from L0 which implements dynamic pricing based on chain average gas fees, which are relayed by a trusted entity
https://github.com/LayerZero-Labs/LayerZero-v2/blob/142846c3d6d51e3c2a0852c41b4c2b63fcda5a0a/messagelib/contracts/PriceFeed.sol#L152-L164
The L0 library will be pricing costs dynamically, meaning that a hardcoded fee can cause reverts when gas prices raise sufficiently fast
Mitigation
Use
fee.nativeFee
to enforce a minimum, but allow passingmsg.value
to avoid this edge caseAssessed type
MEV