-
Notifications
You must be signed in to change notification settings - Fork 369
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(contracts): quote management for L2->L1 hooks #4552
Conversation
// Immutable quote amount | ||
uint256 public immutable GAS_QUOTE; | ||
// child hook to call first | ||
IPostDispatchHook public immutable childHook; |
Check notice
Code scanning / Olympix Integrated Security
Some state variables are not being fuzzed in test functions, potentially leaving vulnerabilities unexplored. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unfuzzed-variables Low
// Immutable quote amount | ||
uint32 public immutable GAS_QUOTE; | ||
// child hook to call first | ||
IPostDispatchHook public immutable childHook; |
Check notice
Code scanning / Olympix Integrated Security
Some state variables are not being fuzzed in test functions, potentially leaving vulnerabilities unexplored. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unfuzzed-variables Low
require( | ||
msg.value >= metadata.msgValue(0) + GAS_QUOTE, | ||
"OPL2ToL1Hook: insufficient msg.value" | ||
bytes memory payload = abi.encodeCall( |
Check warning
Code scanning / Olympix Integrated Security
Local variables in test functions are not properly fuzzed, potentially reducing the effectiveness of property-based testing. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unfuzzed-local-variables Medium
require( | ||
metadata.msgValue(0) < 2 ** 255, | ||
"OPStackHook: msgValue must be less than 2 ** 255" | ||
bytes memory payload = abi.encodeCall( |
Check warning
Code scanning / Olympix Integrated Security
Local variables in test functions are not properly fuzzed, potentially reducing the effectiveness of property-based testing. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unfuzzed-local-variables Medium
@@ -72,7 +78,9 @@ | |||
options, | |||
false // payInLzToken | |||
); | |||
lZEndpoint.send{value: msg.value}(msgParams, refundAddress); | |||
|
|||
uint256 quote = _quoteDispatch(metadata, message); |
Check warning
Code scanning / Olympix Integrated Security
Local variables in test functions are not properly fuzzed, potentially reducing the effectiveness of property-based testing. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unfuzzed-local-variables Medium
lZEndpoint.send{value: msg.value}(msgParams, refundAddress); | ||
|
||
uint256 quote = _quoteDispatch(metadata, message); | ||
lZEndpoint.send{value: quote}(msgParams, refundAddress); |
Check warning
Code scanning / Olympix Integrated Security
Calling a function without checking the return value may lead to silent failures. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unused-return-function-call Medium
lZEndpoint.send{value: msg.value}(msgParams, refundAddress); | ||
|
||
uint256 quote = _quoteDispatch(metadata, message); | ||
lZEndpoint.send{value: quote}(msgParams, refundAddress); |
Check warning
Code scanning / Olympix Integrated Security
Using send() without checking the return value may lead to silent failures of ether transmittal. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unchecked-send Medium
|
||
_sendMessageId(metadata, message); | ||
|
||
uint256 _overpayment = msg.value - _quoteDispatch(metadata, message); |
Check warning
Code scanning / Olympix Integrated Security
Local variables in test functions are not properly fuzzed, potentially reducing the effectiveness of property-based testing. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unfuzzed-local-variables Medium
…thHook` and refund surplus
|
||
uint256 _overpayment = msg.value - _quoteDispatch(metadata, message); | ||
if (_overpayment > 0) { | ||
address _refundAddress = metadata.refundAddress( |
Check warning
Code scanning / Olympix Integrated Security
Local variables in test functions are not properly fuzzed, potentially reducing the effectiveness of property-based testing. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unfuzzed-local-variables Medium
…thHook` and refund surplus
Description
AbstractMessageIdAuthHook
and refund surplusNote: LayerzeroL2Hook currently also refunds from msg.value, will make it into issue to be fixed later as we're using the layerzero hooks right now.Drive-by changes
Related issues
Backward compatibility
No
Testing
Fuzz