sherlock-admin
commented
8 months ago 2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Invalid. User mistake. See Sherlock documentation
takarez commented:
valid because { and a duplicate of issue 013}
Udsen
medium
THE
msg.senderOF THEAvailBridge.sendMessageTRANSACTION WILL LOSE THE EXCESSIVE NATIVE ETH FUNDS TRANSFERRED TO THE TRANSACTION SINCE THIER IS NOT LOGIC TO REFUND THE EXCESSIVE AMOUNTSummary
The
AvailBridge.sendMessagefunction does not refund the excessive nativeeth(to the msg.sender) transferred to the contract after accounting for the respective fee amount.Vulnerability Detail
The
AvailBridge.sendMessagefunction is used for passing arbitrary data from Ethereum to Avail. ThesendMessageis payable function and expected to recieve native eth which greater than the fee amount calculated based on the given message length which is to be passed toAvail chain.There is an input validation check to ensure the
msg.value >= fee amountas shown below:But the issue here is that, if more native
ethis transferred as fee to thissendMessagetransaction that excessive eth will also be added to thefeestate variable without being refunded to themsg.senderImpact
This is loss of funds to the
msg.senderif he mistakenly sends in a very large native eth amount (way more than the required fee amount) while calling thesendMessagetransaction.Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L306-L308
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L313
Tool used
VSCode and Manual Review
Recommendation
Hence it is recommended to add a logic to the
AvailBridge.sendMessagefunction to refund the excessive native eth transferred to thesendMessagetransaction, to themsg.senderafter accounting for thecalculated fee amount based on the message lengthto be passed to theAvailchain.