sherlock-admin
commented
8 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { invalid: impact is unreasonable}
Closed sherlock-admin closed 8 months ago
sherlock-admin
commented
8 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { invalid: impact is unreasonable}
Anubis
medium
Message Source Authentication
Summary
Ensuring that incoming messages are only accepted from the legitimate Avail AMB is critical to prevent unauthorized actions or injection of malicious data.
Vulnerability Detail
The contract checks that the message sender is the authorized Avail AMB using msg.sender != availBridge. This check is pivotal, and the integrity of the availBridge address is crucial. If compromised or incorrectly set, unauthorized entities could send messages, leading to potential contract manipulation.
Impact
If the availBridge address is not securely managed, or if there's a vulnerability in how the contract determines the message sender, it might lead to unauthorized message processing.
Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/MessageReceiver.sol#L18-L23
This function ensures that the message is only processed if it's coming from the authorized Avail AMB.
Tool used
Manual Review
Recommendation
Secure Initialization and Management of availBridge: Ensure that availBridge is set correctly upon contract deployment and provide secure mechanisms (if necessary) to update it, guarding against unauthorized changes.