Description

The TokenMessenger contract is an event driven bridge that triggers off-chain minting processes on a remote chain after burning tokens on the local chain. The minting process relies on nonce for uniqueness guarantees, however, this is managed separately by NonceManager contract. The addition of an external NonceManager contract is to ensure consistency in the nonce if the TokenMessenger contract is changed or replaced then existing nonce values can be reused by pointing back to the existing NonceManager. However, since the NonceManager contract can change, guarantees made for the nonce uniqueness may fail in the TokenManager.

If the nonce manager is changed or updated, this could result in a nonce being used that has already been used before. Since there is no check made in the _depositForBurn() function, that reused nonce may cause unexpected behavior for off-chain event listeners.

Impact

Low severity issue, requires administrative errors involving the removal NonceManager followed by the addition of a new one.

Recommendations

Nonce uniqueness should be a strict invariant, avoid circumstances where an external contract can be changed in such a way that could result in nonce reuse. We recommend the removal of the external NonceManager, enforcing the nonce increments at the TokenMessenger level.

If there is a re-deployment of the TokenMessenger, supply a migration process that insures a specific nonce start point, based on where it was previously left at.

Remediation

This issue has been acknowledged by Trillion, and a fix was implemented in commit 56450339↗.