0xWeiss - [M-04] Unchecked to and from address are not 0 can lead to unexpected burn of funds.

[github-actions[bot]]

0xWeiss

medium

[M-04] Unchecked to and from address are not 0 can lead to unexpected burn of funds.

Summary

In the following function:

 https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/StandardBridge.sol#L397-L434
 https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L1/L1StandardBridge.sol#L281

The function :

function _initiateBridgeERC20( address _localToken, address _remoteToken, address _from, address _to, uint256 _amount, uint32 _minGasLimit, bytes memory _extraData ) internal { the is no validation for the to and from inuts, which could be the 0 address.

Vulnerability Detail

Is calling the finalizeBridgeERC20 in the other contract which makes the transfer to the to address. In this case, the to address is not checked if it is not 0. So, if the to address is 0, the funds will be burned.

Impact

User funds can be burned if the to address is 0 due to unexistent validation

Code Snippet

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/StandardBridge.sol?plain=1#L397-L434
 https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L1/L1StandardBridge.sol?plain=1#L281

Tool used

Manual Review

Recommendation

Add require statements such as:

 require(_to != address(0));
 require(_from != address(0));

[rcstanciu]

Comment from Optimism

---

Description: Unchecked to and from address are not 0 can lead to unexpected burn of funds.

Reason: This is a non-issue, and it is up to the user to ensure that they are not sending funds to the zero address (or any incorrect address, for that matter).