Description

During token bridging, an input token is burned to ensure 1:1 bridging (excluding fees) against token's minted through off-chain processes. However, at this stage any token can be used as the _burnTokenAddress, whereas bridging is only intended to support two tokens TNUSD and TNSGD.

Impact

The lack of input token validation could potentially result in the burning of arbitrary tokens. However, the impact is currently limited to informational, as the use of arbitrary tokens is mitigated by the burn limit per-message check implemented in the burn function of the TokenBurner contract.

modifier onlyWithinBurnLimit(address token, uint256 amount) {
    uint256 _allowedBurnAmount = burnLimitsPerMessage[token];
    require(_allowedBurnAmount > 0, "Burn token not supported");
    require(amount <= _allowedBurnAmount, "Burn amount exceeds per tx limit");
    _;
}

Recommendations

Since the onlyWithinBurnLimit modifier is not included in the TokenMessenger contract and the localBurner contract address is mutable, we recommend adding explicit checks in the depositForBurn and depositForBurnWithCaller functions that the burn token matches the intended token, this could be done via immutable or constant variables to encourage gas optimizations during bridging operations.

Remediation