Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Hyperlane Starknet>Discussion>Nonce may overflow
GeneralOverview
Findings
Critical (5)
High (4)
Medium (5)
Low (5)
Informational (2)
DiscussionSame message can be inserted into the Merkle tree hook multiple timesNonce may overflow
Threat ModelMessage
Audit ResultsAssessment Results

Nonce may overflow

The Mailbox contract has the nonce variable, which should be incremented per dispatched message and inserted in all dispatched messages.

The type of the nonce variable is u32, which is not infeasible to be overflowed. An attacker may spend a substantial amount of gas in order to increment the nonce to which will disable the dispatch function.

Pragma has acknowledged the issue and decided to leave the nonce as the u32 type as of now. We also agree with their approach, because the size of the nonce is defined in the Hyperlane protocol and the consensus of Hyperlane protocol implementations should be required when they make changes.

Zellic © 2025Back to top ↑