Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Y2K Finance>High findings>The lack of verification of the ,payload, data
GeneralOverview
Findings
Critical (1)
High (3)Value can be artificially inflatedThe lack of token addresses' verificationThe lack of verification of the payload data
Medium (5)
Low (4)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.solswapController.soluniswapV2.soluniswapV3.solvaultController.solzapDest.solzapFrom.sol
Audit ResultsSummary
Category: Coding Mistakes

The lack of verification of the payload data

High Severity
High Impact
High Likelihood

Description

Within the functions bridge, permitSwapAndBridge, and swapAndBridge, there is a lack of validation for the payload or bridgePayload data provided by users, which is transmitted to the stargateRouter contract for subsequent transmission to the destination chain.

The sgReceive function expects that _payload will include the receiver address, the vault's epoch id, and the vaultAddress. However, if the data type mismatches the expected format, the refund process using the _stageRefund function will not occur as the function call will result in a revert.

function sgReceive(
    uint16 _chainId,
    bytes memory _srcAddress,
    uint256 _nonce,
    address _token,
    uint256 amountLD,
    bytes calldata _payload
) external payable override {
    if (msg.sender != stargateRelayer && msg.sender != stargateRelayerEth)
        revert InvalidCaller();
    (address receiver, uint256 id, address vaultAddress) = abi.decode(
        _payload,
        (address, uint256, address)
    );

    if (id == 0) return _stageRefund(receiver, _token, amountLD);
    if (whitelistedVault[vaultAddress] != 1)
        return _stageRefund(receiver, _token, amountLD);
    bool success = _depositToVault(id, amountLD, _token, vaultAddress);
    if (!success) return _stageRefund(receiver, _token, amountLD);

    receiverToVaultToIdToAmount[receiver][vaultAddress][id] += amountLD;
    emit ReceivedDeposit(_token, address(this), amountLD);
}

Impact

The absence of proper payload validation exposes the system to potential issues, as incorrect or malformed payloads could cause the subsequent sgReceive function call from the zapDest contract to revert. Such reverts could lead to locked funds and hinder the expected behavior of the system.

Recommendations

Instead of accepting raw payload data from users, we recommend encoding the payload data directly inside the functions bridge, permitSwapAndBridge, and swapAndBridge. This ensures that the payload is created according to the expected format and reduces the likelihood of incorrect payloads causing reverts of calls in the destination contract.

If the payload must be provided by users, we recommend to implement robust input validation mechanisms to ensure that only valid and properly formatted payloads are accepted.

Remediation

This issue has been acknowledged by Y2K Finance, and a fix was implemented in commit 56a1461.

Zellic © 2024Back to top ↑