linear[bot]
commented
1 year ago HPL-53 Lack of input validation
Multiple contracts within scope lack validation of certain pieces of input such as HRP, the gas token, and the oracle configurations. Invalid pieces of information would render the contracts unusable until a correct value is provided although in some cases this will require deploying a new contract. * msg.hrp in contracts/core/va/src/contract.rs:46 * msg.gas_token in contracts/igps/core/src/contract.rs:34 * msg.hrp in contracts/igps/core/src/contract.rs:35 * msg.hrp in contracts/core/mailbox/src/contract.rs:27 * msg.hrp in contracts/isms/multisig/src/contract.rs:35 * config in contracts/igps/oracle/src/contract.rs:54, 71 **Recommendation** We recommend: * Enforcing a best-effort validation on HRP so it only contains lowercase letters. * Querying the gas_token supply to ensure that it is a valid token. * Check that the provided Oracle config does not include an exchange rate of zero.
This needs to be tested