Value or message can be sent from sendERC20 function and redeemed with the receiveAvail function due to no necessary checks in the receiveAvail fiction. This can lead to a massive loss for the protocol where a large amount of avail is minted in place for the same amount in ERC20 token but a lower value against usdt as AVAIL/USDT !== ERC20/USDT.
Based from the test function, the message was redeemed from the receiveAvail instead of receiveERC20 and was still successful, causing a large imbalance of value coming in and value being redeemed
John_Femi
medium
No check between Avail token and ERC20 Token
Summary
Value or message can be sent from sendERC20 function and redeemed with the receiveAvail function due to no necessary checks in the receiveAvail fiction. This can lead to a massive loss for the protocol where a large amount of avail is minted in place for the same amount in ERC20 token but a lower value against usdt as AVAIL/USDT !== ERC20/USDT.
Vulnerability Detail
Looking at this test function
Based from the test function, the message was redeemed from the receiveAvail instead of receiveERC20 and was still successful, causing a large imbalance of value coming in and value being redeemed
Impact
Loss of funds for the protocol
Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L383
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L212
Tool used
Manual Review
Recommendation
Add check to ensure assetId in message matches avail assetId before minting avail to receiver