Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Example String-Passing Solana OApp>Informational findings>Ambiguous state initialization
GeneralOverview
Findings
Informational (2)Initialization can be front-runAmbiguous state initialization
Threat ModelWhat are threat models?MyOApp.solprogram
Audit ResultsAssessment Results
Category: Business Logic

Ambiguous state initialization

Informational Impact
Low Severity
Low Likelihood

Description

Both the Solana and EVM example OApps save the received message in permanent storage.

When the OApps are initialized, the variable holding the received message is initialized with the default content "Nothing received yet.". This makes the state of newly initialized OApps indistinguishable from the state of an OApp that has received a message containing the same string.

Impact

The OApps cannot reliably distinguish between having received no message or having received a message with the content "Nothing received yet.".

As the OApps are just examples that do not implement any real functionality, this is not a vulnerability per se, but this design sets a poor example for developers who will use the example OApps as a starting point for their products.

Recommendations

The Solana OApp could use Option<String> to store the received message.

Solidity does not have a built-in option type; therefore, a separate boolean flag could be used.

Remediation

Zellic © 2025Back to top ↑