Description

The current implementation of the lzReceive function lacks checks to verify the validity of the data stored in trustedRemoteLookup[_srcChainId] and _srcAddress bytes.

If trustedRemoteLookup[_srcChainId] is not set and _srcAddress is zero bytes, the result of the check if (keccak256(_srcAddress) != keccak256(trustedRemoteLookup[_srcChainId])) will be true because keccak256("") == keccak256("").

function lzReceive(
    uint16 _srcChainId,
    bytes memory _srcAddress,
    uint64 _nonce,
    bytes memory _payload
) external override {
    if (msg.sender != layerZeroRelayer) revert InvalidCaller();
    if (
        keccak256(_srcAddress) !=
        keccak256(trustedRemoteLookup[_srcChainId])
    ) revert InvalidCaller();
    ...
}

Impact

The issue currently has no security impact, because it is not expected that the layerZeroRelayer contract will send an empty _srcAddress. But limiting a contract's attack surface is a crucial way to mitigate future risks.

Recommendations

To ensure data consistency and avoid potential issues, it is recommended to add the following checks:

• trustedRemoteLookup[_srcChainId] > 0

• _srcAddress.length == trustedRemoteLookup[_srcChainId].length

An example of such checks can be found in the implementation provided by LayerZero Labs here↗.

Remediation

This issue has been acknowledged by Y2K Finance, and a fix was implemented in commit 32eaca8↗.