0x52 - User can receive tokens/messages to address(0) by using a malformed destination address

[sherlock-admin]

0x52

medium

User can receive tokens/messages to address(0) by using a malformed destination address

User can receive tokens/messages to address(0) by using a malformed destination address

Medium

Summary

When receiving a message/token, the contract specifically blocks sending to address(0) however by using a purposefully malformed address they can still send it there due to the truncation that occurs.

Vulnerability Detail

AvailBridge.sol#L200

    address dest = address(bytes20(message.to));

When messages are created they use a generic bytes32 data type so they are compatible with other blockchains that user 32 byte addresses instead of the 20 byte ones used on EVM chains. To convert between these, the contract simply truncates and converts to address. Truncation allows users to specify an address that is non-zero but that truncates to address(0). By putting values only in the bytes lost to truncation and leaving the rest blank, a user can bypass this restriction.

Impact

Tokens and messages can be sent to address(0)

Code Snippet

AvailBridge.sol#L200

AvailBridge.sol#L226

AvailBridge.sol#L254

AvailBridge.sol#L287

Tool used

Manual Review

Recommendation

Check if dest == address(0) after truncation.

[QEDK]

This is an interesting vector, but if a user wants to send assets to the zero address, the onus is on them, we cannot prevent users from sending assets to arbitrary locations, zero checks are mostly pre-emptive protection but an additional check here does not help because the assets are lost anyway because the corresponding assets will be burned on Avail.

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because {invalid: out-of scope}