search

sujithsomraaj / lifi-stargate-v2-audit

3 Day Review [10 Jun 2024 - 13 Jun 2024]
0 stars 0 forks source link

Validate if `_stargateData.sendParams.to` address is the `ReceiverStargateV2` contract on dstEid #13

Open sujithsomraaj opened 5 months ago

sujithsomraaj commented 5 months ago

Context: StargateFacetV2.sol#L50, StargateFacetV2.sol#L73

Description: The functions swapAndStartBridgeTokensViaStargate and startBridgeTokensViaStargate allow the user to specify the receiver address of the stargate bridging through the _stargateData param.

The function has validations to ensure that if the _bridgeData.hasDestinationCall flag is enabled, then the composing.length should also be greater than zero. However, it is best to ensure that the to address is the ReceiverStargateV2 address from where the destination call is made.

Recommendation: Consider adding the above-mentioned validation to avoid any unforeseen issues due to API failures.

LI.FI:

Researcher:

0xDEnYO commented 5 months ago

@maxklenk

What do you think about this? For sure such a check would make sense. But that applies to all facets with destination calls and so far we have been going well without this check.

I personally would vote to not implement it.

maxklenk commented 5 months ago

I would not "hardcode" the receiver contracts in the facet that makes it quite hard to manage and keep things in sync.

0xDEnYO commented 5 months ago

Agreed. Closing this issue. @ezynda3 FYI

sujithsomraaj commented 5 months ago

also make sure the off-chain processor of transactions has this check btw.