jasonxiale - AvailBridge doesn't return overpayment

[sherlock-admin]

jasonxiale

medium

AvailBridge doesn't return overpayment

Summary

AvailBridge doesn't return overpayment

Vulnerability Detail

According to AvailBridge.getFee, while transferring calldata, the protocol will charge length * feePerByte as fee. But in AvailBridge.sendMessage, the function only checks that there is enough ETH to pay for the fee, and the function doesn't return the over payment back to msg.sender

Impact

AvailBridge doesn't return overpayment

Code Snippet

300     function sendMessage(bytes32 recipient, bytes calldata data) external payable whenNotPaused {
301         uint256 length = data.length;
302         if (length >= MAX_DATA_LENGTH) {
303             revert ExceedsMaxDataLength();
304         }
305         // ensure that fee is above minimum amount
306         if (msg.value < getFee(length)) {
307             revert FeeTooLow();
308         }
309         uint256 id;
310         unchecked {
311             id = messageId++;
312         }
313         fees += msg.value; <<<--- the function doesn't return the over payment back to msg.sender
314         Message memory message = Message(
315             MESSAGE_TX_PREFIX, bytes32(bytes20(msg.sender)), recipient, ETH_DOMAIN, AVAIL_DOMAIN, data, uint64(id)
316         );
317         // store message hash to be retrieved later by our light client
318         isSent[id] = keccak256(abi.encode(message));
319 
320         emit MessageSent(msg.sender, recipient, id);
321     }

Tool used

Manual Review

Recommendation

The function should return the over payment back to msg.sender

[sherlock-admin]

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Invalid. User mistake. See Sherlock documentation

takarez commented:

valid because { valid}