Lack of verification on burn tokens
Description
During token bridging, an input token is burned to ensure 1:1 bridging (excluding fees) against token's minted through off-chain processes. However, at this stage any token can be used as the _burnTokenAddress
, whereas bridging is only intended to support two tokens TNUSD
and TNSGD
.
Impact
The lack of input token validation could potentially result in the burning of arbitrary tokens. However, the impact is currently limited to informational, as the use of arbitrary tokens is mitigated by the burn limit per-message check implemented in the burn
function of the TokenBurner contract.
modifier onlyWithinBurnLimit(address token, uint256 amount) {
uint256 _allowedBurnAmount = burnLimitsPerMessage[token];
require(_allowedBurnAmount > 0, "Burn token not supported");
require(amount <= _allowedBurnAmount, "Burn amount exceeds per tx limit");
_;
}
Recommendations
Since the onlyWithinBurnLimit
modifier is not included in the TokenMessenger contract and the localBurner contract address is mutable, we recommend adding explicit checks in the depositForBurn
and depositForBurnWithCaller
functions that the burn token matches the intended token, this could be done via immutable or constant variables to encourage gas optimizations during bridging operations.