Messages flowing from Ethereum to Avail Blockchain does not have a message consumed lock
Summary
While the messages flowing from Avail to Ethereum have a spent lock, which means the message is consumed only once as there is a mechanism to track the message. There is no similar tracking available for messages flowing from Ethereum to Avail Blockchain.
The light weight client does not have support from bridge contract to track and prevent double spending.
Vulnerability Detail
While it is possible to queue exact same instruction a few times, potentially due to occurrence, a message queued for execution in Avail is not tracked for its status as pending or processed.
Refer to the below functions:
a) sendMessage()
b) sendAVAIL()
c) sendETH()
As such, there is a possibility to process the same exact message in the queue twice.
Currently, the reliance is on light weight client to process these messages only once.
ravikiran.web3
medium
Messages flowing from Ethereum to Avail Blockchain does not have a message consumed lock
Summary
While the messages flowing from Avail to Ethereum have a spent lock, which means the message is consumed only once as there is a mechanism to track the message. There is no similar tracking available for messages flowing from Ethereum to Avail Blockchain. The light weight client does not have support from bridge contract to track and prevent double spending.
Vulnerability Detail
While it is possible to queue exact same instruction a few times, potentially due to occurrence, a message queued for execution in Avail is not tracked for its status as pending or processed.
Refer to the below functions: a) sendMessage() b) sendAVAIL() c) sendETH()
As such, there is a possibility to process the same exact message in the queue twice. Currently, the reliance is on light weight client to process these messages only once.
Impact
Double spend problem
Code Snippet
sendMessage() https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L300-L321
sendAVAIL() https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L329-L349
sendETH() https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L356-L374
sendERC20() function https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L383-L411
In all the above functions, the message is queued, but there is no provision to mark the status of processing.
Tool used
Manual Review
Recommendation
Add tracking for each queued message and track the status.
To do that, create a struct as below and track it.
and then modify each of the receive function to store the message as below.
Also provision a function to mark it as process and restrict the marking to only avail light weight client.