0xWallSecurity - [M-2] Users can send empty messages without paying fees

[sherlock-admin2]

0xWallSecurity

medium

[M-2] Users can send empty messages without paying fees

Summary

Users can send empty messages through AvailBridge::sendMessage without paying fees by sending empty data and a value of 0.

Vulnerability Detail

The Avail Bridge documentation states that the value of a sendMessage transaction must be strictly > 0 (search for "The pallet has to check for the following:"). This invariant is harmed by sending a transaction with value: 0 and bypassing the fee check by sending data with length == 0.

Impact

By sending messages with data.length == 0 the total fee value is not increased, since it is just adding 0 to it:

AvailBridge::sendMessage

fees += msg.value;

This leads to users being able to send (empty) messages without paying fees.

Code Snippet

Add the following test to the end of AvailBridgeTest.t.sol and run forge test --mt test_auditRevertFeeTooLow_sendMessage -vvvvv:

function test_auditRevertFeeTooLow_sendMessage(bytes32 to) external {
        uint256 gasStart = gasleft();
        bytes memory data;
        address from = makeAddr("from");
        vm.prank(from);
        bridge.sendMessage{value: 0}(to, data);
        console.logBytes32(bridge.isSent(0));
        assert(bridge.isSent(0) != 0x0);
        console.log("Gas used: ", gasStart-gasleft());
    }

Tool used

• Foundry Forge
• Manual Review

Recommendation

Implement an additional check on the msg.value:

if (msg.value == 0) {
            revert NotEnoughEthSent();
        }

Duplicate of #84

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because {invalid : sending empty message == no work && no pay}