Message Nonce uniqueness lacks guarantees
Description
The TokenMessenger
contract is an event driven bridge that triggers off-chain minting processes on a remote chain after burning tokens on the local chain. The minting process relies on nonce for uniqueness guarantees, however, this is managed separately by NonceManager
contract. The addition of an external NonceManager
contract is to ensure consistency in the nonce if the TokenMessenger
contract is changed or replaced then existing nonce values can be reused by pointing back to the existing NonceManager
. However, since the NonceManager
contract can change, guarantees made for the nonce uniqueness may fail in the TokenManager
.
If the nonce manager is changed or updated, this could result in a nonce being used that has already been used before. Since there is no check made in the _depositForBurn()
function, that reused nonce may cause unexpected behavior for off-chain event listeners.
Impact
Low severity issue, requires administrative errors involving the removal NonceManager
followed by the addition of a new one.
Recommendations
Nonce uniqueness should be a strict invariant, avoid circumstances where an external contract can be changed in such a way that could result in nonce reuse. We recommend the removal of the external NonceManager
, enforcing the nonce increments at the TokenMessenger
level.
If there is a re-deployment of the TokenMessenger
, supply a migration process that insures a specific nonce start point, based on where it was previously left at.
Remediation
This issue has been acknowledged by Trillion, and a fix was implemented in commit 56450339↗.