Assessment reports>Astria Bridge>High findings>Invalid address could break down the bridge withdrawer
Category: Coding Mistakes

Invalid address could break down the bridge withdrawer

High Severity
High Impact
High Likelihood

Description

The watcher of the bridge withdrawer is responsible for monitoring the bridge contract's event log. When a user sends a transaction to the bridge address with parameters in rollup, the bridge withdrawer will listen for this event to submit a withdraw action to the sequencer.

However, in watcher of the bridge withdrawer, the destination chain address is not validated during logging. If the destination chain address is invalid, the bridge withdrawer crashes during parsing the destination address as bech32m format.

// ...
function withdrawToSequencer(string calldata destinationChainAddress) external payable sufficientValue(msg.value) {
    emit SequencerWithdrawal(msg.sender, msg.value, destinationChainAddress);
}
// ...

Impact

A malicious user could send a transaction to the bridge withdrawer with an invalid destination chain address. This would cause the bridge withdrawer to crash, preventing it from processing any further transactions.

Below is a proof of concept for this issue:

cast send 0xa58639fb5458e65e4fa917ff951c390292c24a15 --private-key $PK 'withdrawToSequencer(string)' "bbbb" -r http://executor.astria.localdev.me --value 100000000000000000
2024-07-19T13:33:22.398641Z ERROR astria_bridge_withdrawer::bridge_withdrawer: task returned with error task="ethereum watcher" error={"0": "block handler exited", "1": "failed to sync from next rollup block height", "2": "failed to get and send events at block", "3": "failed getting actions for block; block hash: `0xd3d1…54cf`, block height: `230`", "4": "failed to parse destination chain address as Astria address for a bridge unlock", "5": "failed decoding provided bech32m string", "6": "parsing failed", "7": "character error", "8": "invalid character (code=b)"}
// ...
2024-07-19T13:33:22.399185Z  INFO astria_bridge_withdrawer: withdrawer stopped

Recommendations

Consider checking the destination chain address before logging the event.

Remediation

Zellic © 2025Back to top ↑