Light ModeLight
Light ModeDark

One Bug Per Day

One H/M every day from top Wardens

Checkmark

Join over 1125 wardens!

Checkmark

Receive the email at any hour!

Ad

Incorrect return value of function BaseTapiocaOmnichainEngine._payNative()

mediumCode4rena

Lines of code

https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/tapiocaOmnichainEngine/BaseTapiocaOmnichainEngine.sol#L80-L83

Vulnerability details

Description

According to the function _payNative(_nativeFee) described in the LayerZero codebase, it is designed to return the native fee associated with the message. However, when a contract intends to initiate multiple LayerZero messages within a single transaction, more than just _nativeFee may be required from the sender to execute such messages.

The contract BaseTapiocaOmnichainEngine() facilitates multiple LayerZero messages within the Magnetar contract and the Tap token contract. Therefore, the function _payNativeFee() needs to be overridden to return an amount of native tokens greater than just _nativeFee. However, in the current implementation of the function BaseTapiocaOmnichainEngine._payNative(), it still returns the value of the input _nativeFee.

solidity
/**
 * @inheritdoc OAppSender
 * @dev Overwrite to check for < values.
 */
function _payNative(uint256 _nativeFee) internal override returns (uint256 nativeFee) {
    if (msg.value < _nativeFee) revert NotEnoughNative(msg.value);
    return _nativeFee;
}

Impact

As only _nativeFee will be sent along with the cross-chain message, the remaining amount msg.value - _nativeFee will become trapped in the BaseTapiocaOmnichainEngine contract. This amount can be larger than just the fee to execute the transaction since the Magnetar also supports the LzComposeOption, which defines the msg.value used to execute the compose option.

Due to the insufficient native tokens provided for the multiple LayerZero messages, certain functions cannot be executed (e.g., MagnetarBaseModule._lzCustomWithdraw(), TapTokenReceiver._claimTwpTapRewardsReceiver(), ...).

Tools Used

Manual review

Recommended Mitigation Steps

Consider modifying function BaseTapiocaOmnichainEngine._payNative() as follows:

solidity
function _payNative(uint256 _nativeFee) internal override returns (uint256 nativeFee) {
    if (msg.value < _nativeFee) revert NotEnoughNative(msg.value);
    return msg.value;
}

Assessed type

Context

OneBugPerDay.com
To all the whitehats, we salute you

Legal

Advertise with usPrivacy PolicyTerms of ServiceCookie PolicyAcceptable Use

Unsubscribe

Unsubscribe from all emailsConfirm unsubscribe via code

Subscribe

Subscribe via formConfirm subscription via codeChange your Preferences
Made by Alex The EntreprenerdVulnerabilities database by TinTinWeb