Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Hyperlane - Radix>Discussion>required hook may potentially be executed twice
GeneralOverview
Findings
High (1)
Medium (1)
Low (1)
Informational (1)
Discussionrequired hook may potentially be executed twiceTypos in the codebaseTest suiteCompromised owner account could maliciously update resource metadata
DesignComponent: Mailbox
Audit ResultsAssessment Results

required hook may potentially be executed twice

let default_hook = hook.or(self.default_hook);
if let Some(default_hook) = default_hook {
    let result = ScryptoVmV1Api::object_call(
        default_hook.as_node_id(),
        "post_dispatch",
        scrypto_args!(hook_metadata.clone(), hyperlane_message.clone(), payment),
    );
    payment = scrypto_decode(&result)
        .expect(&format_error!("failed to decode post_dispatch result"));
            }
if let Some(required_hook) = self.required_hook {
    let result = ScryptoVmV1Api::object_call(
        required_hook.as_node_id(),
        "post_dispatch",
        scrypto_args!(hook_metadata, hyperlane_message.clone(), payment),
    );
    payment = scrypto_decode(&result)
        .expect(&format_error!("failed to decode post_dispatch result"));
}

In the dispatch function, the post-dispatch hook default_hook can be overridden by the caller. If the caller passes a component address identical to that of the required_hook as the hook parameter, then the post_dispatch function of the required_hook may be executed twice.

If the required_hook is configured as an InterchainGasPaymaster, this could lead to duplicate payments; however, such a situation would result from end-user misconfiguration and cannot be prevented.

If the required_hook is configured as a MerkleTreeHook, the same message may be inserted into the merkle tree twice. This does not compromise the functionality or availability of the hook or ISM, but the InsertedIntoTreeEvent would be emitted twice with different indices.

Zellic © 2025Back to top ↑