search

sherlock-audit / 2024-09-symmio-v0-8-4-update-contest-judging

0 stars 0 forks source link

Petite Spruce Mammoth - Lack of validation for `bridgeAddress` and `amount` in `transferToBridge` will potentially lead to lose funds and DoS attacks by spamming transactions in `BridgeFacet.sol` #70

Closed sherlock-admin3 closed 1 week ago

sherlock-admin3 commented 1 week ago

Petite Spruce Mammoth

Low/Info

Lack of validation for bridgeAddress and amount in transferToBridge will potentially lead to lose funds and DoS attacks by spamming transactions in BridgeFacet.sol

Summary

Lack of validation for bridgeAddress and amount in transferToBridge in BridgeFacet.sol will potentially lead to lose funds and DoS attacks by spamming transactions.

Root Cause

https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/Bridge/BridgeFacet.sol#L16-L19 The function does not check if bridgeAddress is a valid address (e.g., non-zero address). If an attacker or user accidentally sends funds to address 0x0, they could lose the funds irreversibly. If amount == 0, it could result in a meaningless or malicious transaction. Zero-value transfers may clutter the blockchain and potentially open doors for Denial of Service (DoS) attacks by spamming transactions.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

  1. Transferring to a zero address can lead to irrecoverable loss of funds.
  2. Zero-value transactions could be used to spam or manipulate events.

PoC

No response

Mitigation

Add input validation to check that bridgeAddress is not 0x0 and that amount is greater than zero.

require(bridgeAddress != address(0), "Invalid bridge address");
require(amount > 0, "Amount must be greater than zero");