Assessment reports>Hyperlane Starknet>Medium findings>Message can be sent multiple times to an untrusted recipient
Category: Coding Mistakes

Message can be sent multiple times to an untrusted recipient

Medium Severity
Low Impact
Low Likelihood

Description

The process function in the Mailbox contract is vulnerable to reentrancy through the interchain_security_module function, potentially allowing the same message to be sent multiple times.

Impact

We do not believe this poses a serious security risk because it is unlikely that the interchain_security_module function is implemented in a way triggering the reentrancy. We believe this finding can be only applied for the recipient that is actively exploiting this behavior; however, it does not pose a considerable security risk because a malicious recipient may just allow to receive any unchecked messages.

Nonetheless, we would recommend removing this behavior by recording the history of delivery before any external interactions (i.e., invoking the interchain_security_module, verify, and handle functions).

Recommendations

Consider recording the history of delivery before any external interactions.

Remediation

This issue has been acknowledged by Pragma, and a fix was implemented in commit 6ec78842.

Zellic © 2025Back to top ↑