Closed sherlock-admin closed 8 months ago
2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Invalid. User mistake. See Sherlock documentation
takarez commented:
valid because { valid and a duplicate of isssue 013}
IvanFitro
medium
AvailBridge.sol :: sendMessage() Users can submit excess fees, and the surplus is not refunded.
Summary
sendMessage()
is employed to transmit a message from Ethereum to Avail, accompanied by a fee determined by the message length. However, if users submit an excess fee, the surplus amount is not refunded.Vulnerability Detail
sendMessage()
is used to send a message from Ethreum to Avail.The code verifies whether
msg.value < getFee(length)
to ensure that the user-provided amount covers the fee. However, it fails to check if the sent amount exceeds the required fee. This oversight results in users paying more fees than necessary because the fee calculation usesmsg.value
instead ofgetFee(length)
.POC
To run the POC, copy the provided code into
AvailBridgeTest.t.sol
.Impact
Loss of funds of the users.
Code Snippet
https://github.com/sherlock-audit/2023-12-avail/blob/1afb56b8d4dfbf5d3f21bed0ddf80a04730204b5/contracts/src/AvailBridge.sol#L300C5-L321C6
Tool used
Manual Review.
Recommendation
An effective solution involves utilizing
getFee(length)
instead ofmsg.value
and subsequently refunding any excess amount to the user.