search

sherlock-audit / 2023-12-avail-judging

4 stars 4 forks source link

kgothatso - `AvailBridge :: withdrawFees` can be called by anyone and can cause front-running ans a DOS attack #129

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

kgothatso

high

AvailBridge :: withdrawFees can be called by anyone and can cause front-running ans a DOS attack

Summary

can cause unexpected withdraws to feeRecipient before they use the fees to receiveMessage

Vulnerability Detail

This could cause a DOS attack on the receiveMessage function we call it

Impact

the receiveMessage will revert due to no fees

Code Snippet

https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L171

https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L187

Tool used

Manual Review

Recommendation

add a modifier to withdrawFees to controll access

sherlock-admin commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { invalid: comment says "Callable by anyone because all fees are always sent to the recipient"}