Closed sherlock-admin2 closed 8 months ago
2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Invalid. User mistake. See Sherlock documentation
takarez commented:
valid because { and a duplicate of issue 013}
Udsen
medium
THE
msg.sender
OF THEAvailBridge.sendMessage
TRANSACTION WILL LOSE THE EXCESSIVE NATIVE ETH FUNDS TRANSFERRED TO THE TRANSACTION SINCE THIER IS NOT LOGIC TO REFUND THE EXCESSIVE AMOUNTSummary
The
AvailBridge.sendMessage
function does not refund the excessive nativeeth
(to the msg.sender) transferred to the contract after accounting for the respective fee amount.Vulnerability Detail
The
AvailBridge.sendMessage
function is used for passing arbitrary data from Ethereum to Avail. ThesendMessage
is payable function and expected to recieve native eth which greater than the fee amount calculated based on the given message length which is to be passed toAvail chain
.There is an input validation check to ensure the
msg.value >= fee amount
as shown below:But the issue here is that, if more native
eth
is transferred as fee to thissendMessage
transaction that excessive eth will also be added to thefee
state variable without being refunded to themsg.sender
Impact
This is loss of funds to the
msg.sender
if he mistakenly sends in a very large native eth amount (way more than the required fee amount) while calling thesendMessage
transaction.Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L306-L308
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L313
Tool used
VSCode and Manual Review
Recommendation
Hence it is recommended to add a logic to the
AvailBridge.sendMessage
function to refund the excessive native eth transferred to thesendMessage
transaction, to themsg.sender
after accounting for thecalculated fee amount based on the message length
to be passed to theAvail
chain.