search

sherlock-audit / 2024-08-tokamak-network-judging

1 stars 0 forks source link

Glamorous Tangerine Cricket - There is no check for zero amount in `StandardBridge::_initiateBridgeETH` function #86

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 1 month ago

Glamorous Tangerine Cricket

Low/Info

There is no check for zero amount in StandardBridge::_initiateBridgeETH function

Summary

If the _amount parameter in the _initiateBridgeETH function is set to zero, then initiating the bridge and sending a message to the other side is meaningless and only causing unnecessary using of gas.

https://github.com/sherlock-audit/2024-08-tokamak-network/blob/main/tokamak-thanos/packages/contracts-bedrock/src/universal/StandardBridge.sol#L315

Vulnerability Detail

Since both bridgeETH and bridgeETHTo invoke the _initiateBridgeETH function, users can execute these two functions with _amount set to zero, allowing them to send a message to the other side without any revert.
Please copy the test function below and add it to the end of the L1StandardBridge.t.sol file.

  contract MyL1StandardBridge is Bridge_Initializer {
    function test_expectRevertWhenETHAmountIsZero() external {
      vm.startPrank(bob);
      vm.expectRevert();
      l1StandardBridge.bridgeETH{value: 0}(50000, hex'');
      vm.stopPrank();
    }
  }

Test is expected to revert due to a zero amount, but it doesn’t.

Recommendation

Check the amount at the start of the _initiateBridgeETH function.

    function _initiateBridgeETH(
        address _from,
        address _to,
        uint256 _amount,
        uint32 _minGasLimit,
        bytes memory _extraData
    )
        internal
    {
+        require(_amount>0,"amount value is zero!!");
...