Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Cloak V1>Medium findings>The function ,finalizeWithdrawERC20, does not implement the logic for forwarding data
GeneralOverview
Findings
Medium (2)The function finalizeWithdrawERC20 does not implement the logic for forwarding dataFront-running the encryption-key--registration transaction can deny service to function finalizeBundle
Low (1)
Threat ModelWhat are threat models?FastWithdrawVault.solL1ERC20GatewayValidium.solL1WETHGatewayValidium.solScrollChainValidium.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

The function finalizeWithdrawERC20 does not implement the logic for forwarding data

Medium Impact
Medium Severity
Medium Likelihood

Description

The comment in the function finalizeWithdrawERC20 states that the parameter _data is optional data that will be forwarded to the recipient. However, this function does not implement the logic to forward _data to the recipient.

/// @param _data Optional data to forward to recipient's account.
function finalizeWithdrawERC20(
    // [...]
    bytes calldata _data
) external payable;

Impact

When the function finalizeWithdrawERC20 is called, the user is unable to receive the expected forwarded _data.

Recommendations

Consider implementing the logic to forward _data to the recipient.

Remediation

This issue has been acknowledged by Scroll, and a fix was implemented in PR #157.

Zellic © 2025Back to top ↑