Validate if `stargateData.assetId` and `_bridgeData.sendingAssetId` matches

[sujithsomraaj]

Context: StargateFacetV2.sol#L105

Description: The _startBridge internal function initiates a bridging process using Stargate bridge. The function receives two types of assets for sending from _bridgeData.sendingAssetId and _stargateData.assetId, which could be unrelated.

Any discrepancies in both values could lead to unexpected behavior. Ideally, the diamond contract holds no funds and hence the function call should revert, but an additional check could prevent future issues.

Recommendation: It's more logical to either have an internal mapping / read the token() from the router address to ensure the right asset is passed in both parameters.

// get the address of the Stargate pool/router contract
address routerAddress = _getRouterAddress(_stargateData.assetId);
+ require(_bridgeData.sendingAssetId == IPool(routerAddress).token());

LI.FI:

Researcher:

[0xDEnYO]

I see your point but I feel that this is an additional check which would not provide a huge value. If bridgeData.sendingAssetId will not match with the tokenAddress of the pool then the whole tx will fail (e.g. the deposited token would not match with the token to be bridged etc.).

Can you construct a case where this is not true, @sujithsomraaj ?

[sujithsomraaj]

As I mentioned in the report, it'll revert, so if you think it's a gas overhead, then fine, you could avoid adding this.

[0xDEnYO]

OK. We will close this issue then as we prefer to save the gas. Thanks for pointing it out though.