Nonce may overflow
The Mailbox contract has the nonce
variable, which should be incremented per dispatched message and inserted in all dispatched messages.
The type of the nonce
variable is u32
, which is not infeasible to be overflowed. An attacker may spend a substantial amount of gas in order to increment the nonce to which will disable the dispatch
function.
Pragma has acknowledged the issue and decided to leave the nonce as the u32
type as of now. We also agree with their approach, because the size of the nonce is defined in the Hyperlane protocol and the consensus of Hyperlane protocol implementations should be required when they make changes.