Sleepy Seaweed Chinchilla - eth will be lost in _lzSend

[sherlock-admin3]

Sleepy Seaweed Chinchilla

Medium

eth will be lost in _lzSend

Summary

As in _payNative function we are returning the _nativeFee but excess msg.value-_nativeFee will be lost.

Root Cause

[ https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/sol-cc/contracts/layerzerolabs/lz-evm-oapp-v2/contracts/oapp/OAppSenderUpgradeable.sol#L93 function _lzSend( uint32 _dstEid, bytes memory _message, bytes memory _options, MessagingFee memory _fee, address _refundAddress ) internal virtual returns (MessagingReceipt memory receipt) { // @dev Push corresponding fees to the endpoint, any excess is sent back to the _refundAddress from the endpoint. uint256 messageValue = _payNative(_fee.nativeFee); if (_fee.lzTokenFee > 0) _payLzToken(_fee.lzTokenFee);

    return
        // solhint-disable-next-line check-send-result
        endpoint.send{ value: messageValue }(
            MessagingParams(_dstEid, _getPeerOrRevert(_dstEid), _message, _options, _fee.lzTokenFee > 0),
            _refundAddress
        );
}

function _payNative(uint256 _nativeFee) internal virtual returns (uint256 nativeFee) {
    // enable the OApp to pay the native fee
    if (msg.value < _nativeFee && address(this).balance < _nativeFee) revert NotEnoughNative(msg.value);
    return _nativeFee;
}

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Excess msg.value-_nativeFee will be lost in _lzSend

PoC

No response

Mitigation

return excess value to the msg.sender.