Description

The updated Aori contract introduces a new depositNative function designed exclusively for handling orders with a native token deposit. However, the deposit function with a hook still includes logic to process cases where the specified inputToken is the NATIVE_TOKEN address and assumes that the caller will supply the corresponding native token amount.

function deposit(
    Order calldata order,
    bytes calldata signature,
    SrcHook calldata hook
) external nonReentrant whenNotPaused onlySolver {
    [...]
    // Execute hook and handle single-chain or cross-chain logic
    (uint256 amountReceived, address tokenReceived) = 
        _executeSrcHook(order, hook);
    [...]
}

function _executeSrcHook(
    Order calldata order,
    SrcHook calldata hook
) internal allowedHookAddress(hook.hookAddress) returns (
    uint256 amountReceived,
    address tokenReceived
) {
    // Transfer input tokens to the hook
    if (order.inputToken.isNativeToken()) {
        require(msg.value == order.inputAmount, "Incorrect native amount");
        (bool success, ) = payable(hook.hookAddress).call{value: order.inputAmount}("");
        require(success, "Native transfer to hook failed");
    [...]
}

Impact

Although the deposit function is not meant to handle native tokens, the _executeSrcHook function still allows them to be provided. The actual impact is informational since the deposit function is not marked as payable, which means native tokens cannot be sent during the call.

Recommendations

We recommend removing the native token--handling logic from the _executeSrcHook function, as this code path is unused and adds unnecessary complexity. Additionally, we suggest adding a check in the deposit function with a hook to ensure that inputToken cannot be a native token.

Remediation

This issue has been acknowledged by Aori, and fixes were implemented in the following commits:

• ff76040c↗
• c023f0cd↗