Closed sherlock-admin closed 8 months ago
This is an interesting vector, but if a user wants to send assets to the zero address, the onus is on them, we cannot prevent users from sending assets to arbitrary locations, zero checks are mostly pre-emptive protection but an additional check here does not help because the assets are lost anyway because the corresponding assets will be burned on Avail.
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because {invalid: out-of scope}
0x52
medium
User can receive tokens/messages to address(0) by using a malformed destination address
User can receive tokens/messages to address(0) by using a malformed destination address
Medium
Summary
When receiving a message/token, the contract specifically blocks sending to
address(0)
however by using a purposefully malformed address they can still send it there due to the truncation that occurs.Vulnerability Detail
AvailBridge.sol#L200
When messages are created they use a generic
bytes32
data type so they are compatible with other blockchains that user 32 byte addresses instead of the 20 byte ones used on EVM chains. To convert between these, the contract simply truncates and converts to address. Truncation allows users to specify an address that is non-zero but that truncates toaddress(0)
. By putting values only in the bytes lost to truncation and leaving the rest blank, a user can bypass this restriction.Impact
Tokens and messages can be sent to
address(0)
Code Snippet
AvailBridge.sol#L200
AvailBridge.sol#L226
AvailBridge.sol#L254
AvailBridge.sol#L287
Tool used
Manual Review
Recommendation
Check if
dest == address(0)
after truncation.