Description

In the executeOdosHook function of the AcrossHook contract, there is a lack of validation to ensure that the outputToken specified by the user in hookData is not the zero address. Since the zero address is used in OdosRouterV3 to represent native tokens, users may assume that it is a valid and supported value. However, on the destination chain, the handleV3AcrossMessage function, which processes the bridged message and tokens received from the SpokePool contract, will revert if tokenSent (equivalent to the outputToken from the sending side) is the zero address.

function handleV3AcrossMessage(address tokenSent, uint256 amount, address, bytes memory message)
    external
    virtual
    onlySpokePool
{
    require(tokenSent != address(0), "AcrossHandler: tokenSent cannot be the zero address");
    [...]
}

Impact

If the user specifies the zero address to indicate native-token usage, the swap process on the destination chain will fail, and the bridging and swap will not be completed.

Recommendations

We recommend adding a validation check in the executeOdosHook function to ensure that outputToken is not the zero address.

Remediation

This issue has been acknowledged by Odos, and a fix was implemented in PR #3↗.