search

sherlock-audit / 2023-12-avail-judging

4 stars 4 forks source link

Avci - the nonce value doesnt increace and its always == 1 #133

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

Avci

medium

the nonce value doesnt increace and its always == 1

Summary

the nonce value doesn't increase and its always == 1

Vulnerability Detail

in the contract Availbridge.sol one of the examples of broken increment is happening in L331 function sendAVAIL 

   uint256 id;
        unchecked {
            id = messageId++;
        }

imagine number of the messageif which is nonce is 0 and then this id in the function tries to increase but what happens is because the original value of messageid never increases the id is always going to be same like 1 if it 0 and everytime user calling these functions which this logic is used in manny functions of this project the id is going to be 1(same previous on) and then the whole messages will send over this id and its going to break the functionality of the nonce

// nonce uint64 messageId; } so it actually means that the nonce is broken in whole contract and because of these logics it keeps giving previous values which is not a valid nonce.

Impact

nonce logic is broken and will not give a valid nonce values which is dangerous.

Code Snippet

function sendAVAIL(bytes32 recipient, uint256 amount) external whenNotPaused checkDestAmt(recipient, amount) {

function sendAVAIL(bytes32 recipient, uint256 amount) external whenNotPaused checkDestAmt(recipient, amount) {
        uint256 id;
        unchecked {
            id = messageId++;
        }
        Message memory message = Message(
            TOKEN_TX_PREFIX,
            bytes32(bytes20(msg.sender)),
            recipient,
            ETH_DOMAIN,
            AVAIL_DOMAIN,
            abi.encode(bytes32(0), amount),
            uint64(id)
        );
        // store message hash to be retrieved later by our light client
        isSent[id] = keccak256(abi.encode(message));

        emit MessageSent(msg.sender, recipient, id);

        avail.burn(msg.sender, amount);
    }

Tool used

Manual Review

Recommendation

sherlock-admin commented 8 months ago

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Invalid. Is increasing

takarez commented:

invalid because {invalid: this is increasing the messagId and then storing in a variable id}