According to AvailBridge.getFee, while transferring calldata, the protocol will charge length * feePerByte as fee.
But in AvailBridge.sendMessage, the function only checks that there is enough ETH to pay for the fee, and the function doesn't return the over payment back to msg.sender
Impact
AvailBridge doesn't return overpayment
Code Snippet
300 function sendMessage(bytes32 recipient, bytes calldata data) external payable whenNotPaused {
301 uint256 length = data.length;
302 if (length >= MAX_DATA_LENGTH) {
303 revert ExceedsMaxDataLength();
304 }
305 // ensure that fee is above minimum amount
306 if (msg.value < getFee(length)) {
307 revert FeeTooLow();
308 }
309 uint256 id;
310 unchecked {
311 id = messageId++;
312 }
313 fees += msg.value; <<<--- the function doesn't return the over payment back to msg.sender
314 Message memory message = Message(
315 MESSAGE_TX_PREFIX, bytes32(bytes20(msg.sender)), recipient, ETH_DOMAIN, AVAIL_DOMAIN, data, uint64(id)
316 );
317 // store message hash to be retrieved later by our light client
318 isSent[id] = keccak256(abi.encode(message));
319
320 emit MessageSent(msg.sender, recipient, id);
321 }
Tool used
Manual Review
Recommendation
The function should return the over payment back to msg.sender
jasonxiale
medium
AvailBridge doesn't return overpayment
Summary
AvailBridge doesn't return overpayment
Vulnerability Detail
According to AvailBridge.getFee, while transferring calldata, the protocol will charge
length * feePerByte
as fee. But in AvailBridge.sendMessage, the function only checks that there is enough ETH to pay for the fee, and the function doesn't return the over payment back tomsg.sender
Impact
AvailBridge doesn't return overpayment
Code Snippet
Tool used
Manual Review
Recommendation
The function should return the over payment back to msg.sender